From 27bb862424bd72e3160e218b324bafe6067c3985 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Thu, 5 May 2022 11:50:23 +0100 Subject: [PATCH 1/3] docs(kicsbot): update images digest (#5302) Co-authored-by: rogeriopeixotocx --- docs/docker/nightly.csv | 4 ++++ docs/docker/nightly.md | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/docs/docker/nightly.csv b/docs/docker/nightly.csv index 34cb5b60204..cae6df171b2 100644 --- a/docs/docker/nightly.csv +++ b/docs/docker/nightly.csv @@ -261,3 +261,7 @@ scratch,fd4160fd,2022-05-04,sha256:ec5c8ac7d7b0793782c2a42d5cc3c6092d4d582eeed46 alpine,fd4160fd,2022-05-04,sha256:ec5c8ac7d7b0793782c2a42d5cc3c6092d4d582eeed46c3c8094ca2344dc1423 debian,fd4160fd,2022-05-04,sha256:ec36ec2197079b09ffe38ee5b68d4dfe0cf36efc47ceeaa72de4739a4c39dd36 ubi8,fd4160fd,2022-05-04,sha256:1925dc6ee1d01c27e702a84bcedb4925304602988caf4d9f22a27555bcf2fbee +scratch,c2993ec2,2022-05-05,sha256:3dc3e9cc84e1ee2ee45309f3a96b249aeddc2eea26ddb173edbf5e3780f6eb3e +alpine,c2993ec2,2022-05-05,sha256:3dc3e9cc84e1ee2ee45309f3a96b249aeddc2eea26ddb173edbf5e3780f6eb3e +debian,c2993ec2,2022-05-05,sha256:6ef241e07372a753f84a6e75a67491a2b101fe302c0baf198a6ad39f8cdda0d2 +ubi8,c2993ec2,2022-05-05,sha256:66be122109613eea6e85a3f25e50846f382d675b23a36ca8ddb42f556739c1fe diff --git a/docs/docker/nightly.md b/docs/docker/nightly.md index 9c2778c3579..e11b62b255b 100644 --- a/docs/docker/nightly.md +++ b/docs/docker/nightly.md @@ -262,3 +262,7 @@ scratch | fd4160fd | 2022-05-04 | sha256:ec5c8ac7d7b0793782c2a42d5cc3c6092 alpine | fd4160fd | 2022-05-04 | sha256:ec5c8ac7d7b0793782c2a42d5cc3c6092d4d582eeed46c3c8094ca2344dc1423 debian | fd4160fd | 2022-05-04 | sha256:ec36ec2197079b09ffe38ee5b68d4dfe0cf36efc47ceeaa72de4739a4c39dd36 ubi8 | fd4160fd | 2022-05-04 | sha256:1925dc6ee1d01c27e702a84bcedb4925304602988caf4d9f22a27555bcf2fbee +scratch | c2993ec2 | 2022-05-05 | sha256:3dc3e9cc84e1ee2ee45309f3a96b249aeddc2eea26ddb173edbf5e3780f6eb3e +alpine | c2993ec2 | 2022-05-05 | sha256:3dc3e9cc84e1ee2ee45309f3a96b249aeddc2eea26ddb173edbf5e3780f6eb3e +debian | c2993ec2 | 2022-05-05 | sha256:6ef241e07372a753f84a6e75a67491a2b101fe302c0baf198a6ad39f8cdda0d2 +ubi8 | c2993ec2 | 2022-05-05 | sha256:66be122109613eea6e85a3f25e50846f382d675b23a36ca8ddb42f556739c1fe From 5c889a12abbbbb27269907796dc1c006833cbd44 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Thu, 5 May 2022 12:18:54 +0100 Subject: [PATCH 2/3] update open port aws queries name --- assets/libraries/terraform.rego | 4 ++-- .../metadata.json | 4 ++-- .../query.rego | 0 .../test/negative.yaml | 0 .../test/positive.yaml | 0 .../test/positive_expected_result.json | 14 +++++++------- .../aws/remote_desktop_port_open/metadata.json | 4 ++-- .../test/positive_expected_result.json | 14 +++++++------- .../aws/http_port_open/metadata.json | 4 ++-- .../test/positive_expected_result.json | 4 ++-- .../aws/remote_desktop_port_open/metadata.json | 4 ++-- .../test/positive_expected_result.json | 4 ++-- .../terraform/aws/http_port_open/metadata.json | 4 ++-- .../terraform/aws/http_port_open/query.rego | 2 +- .../test/positive_expected_result.json | 4 ++-- .../query.rego | 8 ++++---- .../query.rego | 8 ++++---- .../test/positive_expected_result.json | 12 ------------ .../metadata.json | 4 ++-- .../query.rego | 2 +- .../test/negative.tf | 0 .../test/positive.tf | 0 .../test/positive_expected_result.json | 12 ++++++++++++ .../query.rego | 4 ++-- .../query.rego | 2 +- 25 files changed, 59 insertions(+), 59 deletions(-) rename assets/queries/ansible/aws/{http_port_open => http_port_open_to_internet}/metadata.json (73%) rename assets/queries/ansible/aws/{http_port_open => http_port_open_to_internet}/query.rego (100%) rename assets/queries/ansible/aws/{http_port_open => http_port_open_to_internet}/test/negative.yaml (100%) rename assets/queries/ansible/aws/{http_port_open => http_port_open_to_internet}/test/positive.yaml (100%) rename assets/queries/ansible/aws/{http_port_open => http_port_open_to_internet}/test/positive_expected_result.json (50%) delete mode 100644 assets/queries/terraform/aws/remote_desktop_port_open/test/positive_expected_result.json rename assets/queries/terraform/aws/{remote_desktop_port_open => remote_desktop_port_open_to_internet}/metadata.json (67%) rename assets/queries/terraform/aws/{remote_desktop_port_open => remote_desktop_port_open_to_internet}/query.rego (90%) rename assets/queries/terraform/aws/{remote_desktop_port_open => remote_desktop_port_open_to_internet}/test/negative.tf (100%) rename assets/queries/terraform/aws/{remote_desktop_port_open => remote_desktop_port_open_to_internet}/test/positive.tf (100%) create mode 100644 assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json diff --git a/assets/libraries/terraform.rego b/assets/libraries/terraform.rego index e9def851747..a5fd1608e85 100644 --- a/assets/libraries/terraform.rego +++ b/assets/libraries/terraform.rego @@ -9,13 +9,13 @@ check_cidr(rule) { } # Checks if a TCP port is open in a rule -openPort(rule, port) { +portOpenToInternet(rule, port) { check_cidr(rule) rule.protocol == "tcp" containsPort(rule, port) } -openPort(rules, port) { +portOpenToInternet(rules, port) { rule := rules[_] check_cidr(rule) rule.protocol == "tcp" diff --git a/assets/queries/ansible/aws/http_port_open/metadata.json b/assets/queries/ansible/aws/http_port_open_to_internet/metadata.json similarity index 73% rename from assets/queries/ansible/aws/http_port_open/metadata.json rename to assets/queries/ansible/aws/http_port_open_to_internet/metadata.json index 7711fbe8303..1332cd2ebba 100644 --- a/assets/queries/ansible/aws/http_port_open/metadata.json +++ b/assets/queries/ansible/aws/http_port_open_to_internet/metadata.json @@ -1,9 +1,9 @@ { "id": "a14ad534-acbe-4a8e-9404-2f7e1045646e", - "queryName": "HTTP Port Open", + "queryName": "HTTP Port Open To Internet", "severity": "HIGH", "category": "Networking and Firewall", - "descriptionText": "The HTTP port is open in a Security Group", + "descriptionText": "The HTTP port is open to the internet in a Security Group", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html#ansible-collections-amazon-aws-ec2-group-module", "platform": "Ansible", "descriptionID": "8c6031b8", diff --git a/assets/queries/ansible/aws/http_port_open/query.rego b/assets/queries/ansible/aws/http_port_open_to_internet/query.rego similarity index 100% rename from assets/queries/ansible/aws/http_port_open/query.rego rename to assets/queries/ansible/aws/http_port_open_to_internet/query.rego diff --git a/assets/queries/ansible/aws/http_port_open/test/negative.yaml b/assets/queries/ansible/aws/http_port_open_to_internet/test/negative.yaml similarity index 100% rename from assets/queries/ansible/aws/http_port_open/test/negative.yaml rename to assets/queries/ansible/aws/http_port_open_to_internet/test/negative.yaml diff --git a/assets/queries/ansible/aws/http_port_open/test/positive.yaml b/assets/queries/ansible/aws/http_port_open_to_internet/test/positive.yaml similarity index 100% rename from assets/queries/ansible/aws/http_port_open/test/positive.yaml rename to assets/queries/ansible/aws/http_port_open_to_internet/test/positive.yaml diff --git a/assets/queries/ansible/aws/http_port_open/test/positive_expected_result.json b/assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json similarity index 50% rename from assets/queries/ansible/aws/http_port_open/test/positive_expected_result.json rename to assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json index e790258919b..32437f20b8a 100644 --- a/assets/queries/ansible/aws/http_port_open/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json @@ -1,36 +1,36 @@ [ { - "queryName": "HTTP Port Open", + "queryName": "HTTP Port Open To Internet", "severity": "HIGH", "line": 9 }, { - "queryName": "HTTP Port Open", + "queryName": "HTTP Port Open To Internet", "severity": "HIGH", "line": 23 }, { - "queryName": "HTTP Port Open", + "queryName": "HTTP Port Open To Internet", "severity": "HIGH", "line": 36 }, { - "queryName": "HTTP Port Open", + "queryName": "HTTP Port Open To Internet", "severity": "HIGH", "line": 49 }, { - "queryName": "HTTP Port Open", + "queryName": "HTTP Port Open To Internet", "severity": "HIGH", "line": 64 }, { - "queryName": "HTTP Port Open", + "queryName": "HTTP Port Open To Internet", "severity": "HIGH", "line": 79 }, { - "queryName": "HTTP Port Open", + "queryName": "HTTP Port Open To Internet", "severity": "HIGH", "line": 93 } diff --git a/assets/queries/ansible/aws/remote_desktop_port_open/metadata.json b/assets/queries/ansible/aws/remote_desktop_port_open/metadata.json index d8b20927835..7bcdeefbc05 100644 --- a/assets/queries/ansible/aws/remote_desktop_port_open/metadata.json +++ b/assets/queries/ansible/aws/remote_desktop_port_open/metadata.json @@ -1,9 +1,9 @@ { "id": "eda7301d-1f3e-47cf-8d4e-976debc64341", - "queryName": "Remote Desktop Port Open", + "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "category": "Networking and Firewall", - "descriptionText": "The Remote Desktop port is open in a Security Group", + "descriptionText": "The Remote Desktop port is open to the internet in a Security Group", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html#ansible-collections-amazon-aws-ec2-group-module", "platform": "Ansible", "descriptionID": "d644276b", diff --git a/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json b/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json index c27a08cf1c0..656120158f2 100644 --- a/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json @@ -1,36 +1,36 @@ [ { - "queryName": "Remote Desktop Port Open", + "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 9 }, { - "queryName": "Remote Desktop Port Open", + "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 23 }, { - "queryName": "Remote Desktop Port Open", + "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 36 }, { - "queryName": "Remote Desktop Port Open", + "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 49 }, { - "queryName": "Remote Desktop Port Open", + "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 64 }, { - "queryName": "Remote Desktop Port Open", + "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 79 }, { - "queryName": "Remote Desktop Port Open", + "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 93 } diff --git a/assets/queries/cloudFormation/aws/http_port_open/metadata.json b/assets/queries/cloudFormation/aws/http_port_open/metadata.json index ba549187059..6ac286304af 100644 --- a/assets/queries/cloudFormation/aws/http_port_open/metadata.json +++ b/assets/queries/cloudFormation/aws/http_port_open/metadata.json @@ -1,9 +1,9 @@ { "id": "ddfc4eaa-af23-409f-b96c-bf5c45dc4daa", - "queryName": "HTTP Port Open", + "queryName": "HTTP Port Open To Internet", "severity": "HIGH", "category": "Networking and Firewall", - "descriptionText": "The HTTP port is open in a Security Group", + "descriptionText": "The HTTP port is open to the internet in a Security Group", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html", "platform": "CloudFormation", "descriptionID": "a39efd21", diff --git a/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json index c8f5b0390be..5b257a05962 100644 --- a/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json @@ -1,13 +1,13 @@ [ { - "queryName": "HTTP Port Open", + "queryName": "HTTP Port Open To Internet", "severity": "HIGH", "line": 8, "fileName": "positive1.yaml" }, { "fileName": "positive2.json", - "queryName": "HTTP Port Open", + "queryName": "HTTP Port Open To Internet", "severity": "HIGH", "line": 10 } diff --git a/assets/queries/cloudFormation/aws/remote_desktop_port_open/metadata.json b/assets/queries/cloudFormation/aws/remote_desktop_port_open/metadata.json index be9462418bf..327ccb5e5ca 100644 --- a/assets/queries/cloudFormation/aws/remote_desktop_port_open/metadata.json +++ b/assets/queries/cloudFormation/aws/remote_desktop_port_open/metadata.json @@ -1,9 +1,9 @@ { "id": "c9846969-d066-431f-9b34-8c4abafe422a", - "queryName": "Remote Desktop Port Open", + "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "category": "Networking and Firewall", - "descriptionText": "The Remote Desktop port is open in a Security Group", + "descriptionText": "The Remote Desktop port is open to the internet in a Security Group", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html", "platform": "CloudFormation", "descriptionID": "2e4ef03f", diff --git a/assets/queries/cloudFormation/aws/remote_desktop_port_open/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/remote_desktop_port_open/test/positive_expected_result.json index 9de37c9f525..7bea2341887 100644 --- a/assets/queries/cloudFormation/aws/remote_desktop_port_open/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/remote_desktop_port_open/test/positive_expected_result.json @@ -1,13 +1,13 @@ [ { - "queryName": "Remote Desktop Port Open", + "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 8, "fileName": "positive1.yaml" }, { "fileName": "positive2.json", - "queryName": "Remote Desktop Port Open", + "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 10 } diff --git a/assets/queries/terraform/aws/http_port_open/metadata.json b/assets/queries/terraform/aws/http_port_open/metadata.json index bddb8253ebf..8894b927a0d 100644 --- a/assets/queries/terraform/aws/http_port_open/metadata.json +++ b/assets/queries/terraform/aws/http_port_open/metadata.json @@ -1,9 +1,9 @@ { "id": "ffac8a12-322e-42c1-b9b9-81ff85c39ef7", - "queryName": "HTTP Port Open", + "queryName": "HTTP Port Open To Internet", "severity": "HIGH", "category": "Networking and Firewall", - "descriptionText": "The HTTP port is open in a Security Group", + "descriptionText": "The HTTP port is open to the internet in a Security Group", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group", "platform": "Terraform", "descriptionID": "a829609b", diff --git a/assets/queries/terraform/aws/http_port_open/query.rego b/assets/queries/terraform/aws/http_port_open/query.rego index 0dc9a0d2322..e94f9032643 100644 --- a/assets/queries/terraform/aws/http_port_open/query.rego +++ b/assets/queries/terraform/aws/http_port_open/query.rego @@ -5,7 +5,7 @@ import data.generic.terraform as terraLib CxPolicy[result] { resource := input.document[i].resource.aws_security_group[name] - terraLib.openPort(resource.ingress, 80) + terraLib.portOpenToInternet(resource.ingress, 80) result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json b/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json index 935de793dbb..b21243fcdaa 100644 --- a/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json @@ -1,11 +1,11 @@ [ { - "queryName": "HTTP Port Open", + "queryName": "HTTP Port Open To Internet", "severity": "HIGH", "line": 1 }, { - "queryName": "HTTP Port Open", + "queryName": "HTTP Port Open To Internet", "severity": "HIGH", "line": 14 } diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/query.rego b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/query.rego index ca0a38faa29..d455a4eafba 100644 --- a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/query.rego +++ b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/query.rego @@ -8,7 +8,7 @@ CxPolicy[result] { resource := doc.resource.aws_network_acl[name] is_array(resource.ingress) - terra_lib.openPort(resource.ingress[idx], 3389) + terra_lib.portOpenToInternet(resource.ingress[idx], 3389) result := { "documentId": input.document[i].id, @@ -26,7 +26,7 @@ CxPolicy[result] { net_acl_rule := doc.resource.aws_network_acl_rule[netAclRuleName] split(net_acl_rule.network_acl_id, ".")[1] == netAclName - terra_lib.openPort(net_acl_rule, 3389) + terra_lib.portOpenToInternet(net_acl_rule, 3389) result := { "documentId": doc.id, @@ -43,7 +43,7 @@ CxPolicy[result] { resource := doc.resource.aws_network_acl[name] not is_array(resource.ingress) - terra_lib.openPort(resource.ingress, 3389) + terra_lib.portOpenToInternet(resource.ingress, 3389) result := { "documentId": doc.id, @@ -61,7 +61,7 @@ CxPolicy[result] { common_lib.valid_key(module, keyToCheck) rule := module[keyToCheck][idx] - terra_lib.openPort(rule, 3389) + terra_lib.portOpenToInternet(rule, 3389) result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/query.rego b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/query.rego index d3aca94c393..c7db090bea3 100644 --- a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/query.rego +++ b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/query.rego @@ -8,7 +8,7 @@ CxPolicy[result] { resource := doc.resource.aws_network_acl[name] is_array(resource.ingress) - terra_lib.openPort(resource.ingress[idx], 22) + terra_lib.portOpenToInternet(resource.ingress[idx], 22) result := { "documentId": doc.id, @@ -26,7 +26,7 @@ CxPolicy[result] { net_acl_rule := doc.resource.aws_network_acl_rule[netAclRuleName] split(net_acl_rule.network_acl_id, ".")[1] == netAclName - terra_lib.openPort(net_acl_rule, 22) + terra_lib.portOpenToInternet(net_acl_rule, 22) result := { "documentId": doc.id, @@ -43,7 +43,7 @@ CxPolicy[result] { resource := doc.resource.aws_network_acl[name] not is_array(resource.ingress) - terra_lib.openPort(resource.ingress, 22) + terra_lib.portOpenToInternet(resource.ingress, 22) result := { "documentId": doc.id, @@ -61,7 +61,7 @@ CxPolicy[result] { common_lib.valid_key(module, keyToCheck) rule := module[keyToCheck][idx] - terra_lib.openPort(rule, 22) + terra_lib.portOpenToInternet(rule, 22) result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/aws/remote_desktop_port_open/test/positive_expected_result.json b/assets/queries/terraform/aws/remote_desktop_port_open/test/positive_expected_result.json deleted file mode 100644 index 7c7656770d0..00000000000 --- a/assets/queries/terraform/aws/remote_desktop_port_open/test/positive_expected_result.json +++ /dev/null @@ -1,12 +0,0 @@ -[ - { - "queryName": "Remote Desktop Port Open", - "severity": "HIGH", - "line": 1 - }, - { - "queryName": "Remote Desktop Port Open", - "severity": "HIGH", - "line": 14 - } -] diff --git a/assets/queries/terraform/aws/remote_desktop_port_open/metadata.json b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/metadata.json similarity index 67% rename from assets/queries/terraform/aws/remote_desktop_port_open/metadata.json rename to assets/queries/terraform/aws/remote_desktop_port_open_to_internet/metadata.json index 53565ea51fa..285a6630b69 100644 --- a/assets/queries/terraform/aws/remote_desktop_port_open/metadata.json +++ b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/metadata.json @@ -1,9 +1,9 @@ { "id": "151187cb-0efc-481c-babd-ad24e3c9bc22", - "queryName": "Remote Desktop Port Open", + "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "category": "Networking and Firewall", - "descriptionText": "The Remote Desktop port is open in a Security Group", + "descriptionText": "The Remote Desktop port is open to the internet in a Security Group", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group", "platform": "Terraform", "descriptionID": "aea02d46", diff --git a/assets/queries/terraform/aws/remote_desktop_port_open/query.rego b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/query.rego similarity index 90% rename from assets/queries/terraform/aws/remote_desktop_port_open/query.rego rename to assets/queries/terraform/aws/remote_desktop_port_open_to_internet/query.rego index ccd804b2707..579653ac5d2 100644 --- a/assets/queries/terraform/aws/remote_desktop_port_open/query.rego +++ b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/query.rego @@ -5,7 +5,7 @@ import data.generic.terraform as terraLib CxPolicy[result] { resource := input.document[i].resource.aws_security_group[name] - terraLib.openPort(resource.ingress, 3389) + terraLib.portOpenToInternet(resource.ingress, 3389) result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/aws/remote_desktop_port_open/test/negative.tf b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/negative.tf similarity index 100% rename from assets/queries/terraform/aws/remote_desktop_port_open/test/negative.tf rename to assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/negative.tf diff --git a/assets/queries/terraform/aws/remote_desktop_port_open/test/positive.tf b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive.tf similarity index 100% rename from assets/queries/terraform/aws/remote_desktop_port_open/test/positive.tf rename to assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive.tf diff --git a/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json new file mode 100644 index 00000000000..5a8602638ff --- /dev/null +++ b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json @@ -0,0 +1,12 @@ +[ + { + "queryName": "Remote Desktop Port Open To Internet", + "severity": "HIGH", + "line": 1 + }, + { + "queryName": "Remote Desktop Port Open To Internet", + "severity": "HIGH", + "line": 14 + } +] diff --git a/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/query.rego b/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/query.rego index 2a1d96a2920..7ba300c13b6 100644 --- a/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/query.rego +++ b/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/query.rego @@ -6,7 +6,7 @@ import data.generic.terraform as terra_lib CxPolicy[result] { resource := input.document[i].resource.aws_security_group[name] - terra_lib.openPort(resource.ingress, 22) + terra_lib.portOpenToInternet(resource.ingress, 22) result := { "documentId": input.document[i].id, @@ -21,7 +21,7 @@ CxPolicy[result] { CxPolicy[result] { module := input.document[i].module[name] keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_security_group", "ingress_cidr_blocks") - terra_lib.openPort(module.ingress, 22) + terra_lib.portOpenToInternet(module.ingress, 22) result := { "documentId": input.document[i].id, diff --git a/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/query.rego b/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/query.rego index 77399edf75e..19ba3bdf60f 100644 --- a/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/query.rego +++ b/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/query.rego @@ -5,7 +5,7 @@ import data.generic.terraform as terraLib CxPolicy[result] { resource := input.document[i].resource.aws_security_group[name] - terraLib.openPort(resource.ingress, 2383) + terraLib.portOpenToInternet(resource.ingress, 2383) result := { "documentId": input.document[i].id, From 4597b2d836b4e614d952372f40f95957e752df14 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Thu, 5 May 2022 14:48:26 +0100 Subject: [PATCH 3/3] add fileName --- .../test/positive_expected_result.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json index 5a8602638ff..ea4fb9f2939 100644 --- a/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json @@ -2,11 +2,13 @@ { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 1 + "line": 1, + "fileName": "positive.tf" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 14 + "line": 14, + "fileName": "positive.tf" } ]