update(query): Remote Desktop Port Open To Internet and HTTP Port Open To Internet

assets/libraries/terraform.rego

@@ -9,13 +9,13 @@ check_cidr(rule) {
 }
 
 # Checks if a TCP port is open in a rule
-openPort(rule, port) {
+portOpenToInternet(rule, port) {
 	check_cidr(rule)
 	rule.protocol == "tcp"
 	containsPort(rule, port)
 }
 
-openPort(rules, port) {
+portOpenToInternet(rules, port) {
 	rule := rules[_]
 	check_cidr(rule)
 	rule.protocol == "tcp"

assets/queries/ansible/aws/http_port_open/metadata.json → assets/queries/ansible/aws/http_port_open_to_internet/metadata.json

@@ -1,9 +1,9 @@
 {
   "id": "a14ad534-acbe-4a8e-9404-2f7e1045646e",
-  "queryName": "HTTP Port Open",
+  "queryName": "HTTP Port Open To Internet",
   "severity": "HIGH",
   "category": "Networking and Firewall",
-  "descriptionText": "The HTTP port is open in a Security Group",
+  "descriptionText": "The HTTP port is open to the internet in a Security Group",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html#ansible-collections-amazon-aws-ec2-group-module",
   "platform": "Ansible",
   "descriptionID": "8c6031b8",

assets/queries/ansible/aws/http_port_open/test/positive_expected_result.json → assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json

@@ -1,36 +1,36 @@
 [
   {
-    "queryName": "HTTP Port Open",
+    "queryName": "HTTP Port Open To Internet",
     "severity": "HIGH",
     "line": 9
   },
   {
-    "queryName": "HTTP Port Open",
+    "queryName": "HTTP Port Open To Internet",
     "severity": "HIGH",
     "line": 23
   },
   {
-    "queryName": "HTTP Port Open",
+    "queryName": "HTTP Port Open To Internet",
     "severity": "HIGH",
     "line": 36
   },
   {
-    "queryName": "HTTP Port Open",
+    "queryName": "HTTP Port Open To Internet",
     "severity": "HIGH",
     "line": 49
   },
   {
-    "queryName": "HTTP Port Open",
+    "queryName": "HTTP Port Open To Internet",
     "severity": "HIGH",
     "line": 64
   },
   {
-    "queryName": "HTTP Port Open",
+    "queryName": "HTTP Port Open To Internet",
     "severity": "HIGH",
     "line": 79
   },
   {
-    "queryName": "HTTP Port Open",
+    "queryName": "HTTP Port Open To Internet",
     "severity": "HIGH",
     "line": 93
   }

assets/queries/ansible/aws/remote_desktop_port_open/metadata.json

@@ -1,9 +1,9 @@
 {
   "id": "eda7301d-1f3e-47cf-8d4e-976debc64341",
-  "queryName": "Remote Desktop Port Open",
+  "queryName": "Remote Desktop Port Open To Internet",
   "severity": "HIGH",
   "category": "Networking and Firewall",
-  "descriptionText": "The Remote Desktop port is open in a Security Group",
+  "descriptionText": "The Remote Desktop port is open to the internet in a Security Group",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html#ansible-collections-amazon-aws-ec2-group-module",
   "platform": "Ansible",
   "descriptionID": "d644276b",

assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json

@@ -1,36 +1,36 @@
 [
   {
-    "queryName": "Remote Desktop Port Open",
+    "queryName": "Remote Desktop Port Open To Internet",
     "severity": "HIGH",
     "line": 9
   },
   {
-    "queryName": "Remote Desktop Port Open",
+    "queryName": "Remote Desktop Port Open To Internet",
     "severity": "HIGH",
     "line": 23
   },
   {
-    "queryName": "Remote Desktop Port Open",
+    "queryName": "Remote Desktop Port Open To Internet",
     "severity": "HIGH",
     "line": 36
   },
   {
-    "queryName": "Remote Desktop Port Open",
+    "queryName": "Remote Desktop Port Open To Internet",
     "severity": "HIGH",
     "line": 49
   },
   {
-    "queryName": "Remote Desktop Port Open",
+    "queryName": "Remote Desktop Port Open To Internet",
     "severity": "HIGH",
     "line": 64
   },
   {
-    "queryName": "Remote Desktop Port Open",
+    "queryName": "Remote Desktop Port Open To Internet",
     "severity": "HIGH",
     "line": 79
   },
   {
-    "queryName": "Remote Desktop Port Open",
+    "queryName": "Remote Desktop Port Open To Internet",
     "severity": "HIGH",
     "line": 93
   }

assets/queries/cloudFormation/aws/http_port_open/metadata.json

@@ -1,9 +1,9 @@
 {
   "id": "ddfc4eaa-af23-409f-b96c-bf5c45dc4daa",
-  "queryName": "HTTP Port Open",
+  "queryName": "HTTP Port Open To Internet",
   "severity": "HIGH",
   "category": "Networking and Firewall",
-  "descriptionText": "The HTTP port is open in a Security Group",
+  "descriptionText": "The HTTP port is open to the internet in a Security Group",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html",
   "platform": "CloudFormation",
   "descriptionID": "a39efd21",

assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json

@@ -1,13 +1,13 @@
 [
   {
-    "queryName": "HTTP Port Open",
+    "queryName": "HTTP Port Open To Internet",
     "severity": "HIGH",
     "line": 8,
     "fileName": "positive1.yaml"
   },
   {
     "fileName": "positive2.json",
-    "queryName": "HTTP Port Open",
+    "queryName": "HTTP Port Open To Internet",
     "severity": "HIGH",
     "line": 10
   }

assets/queries/cloudFormation/aws/remote_desktop_port_open/metadata.json

@@ -1,9 +1,9 @@
 {
   "id": "c9846969-d066-431f-9b34-8c4abafe422a",
-  "queryName": "Remote Desktop Port Open",
+  "queryName": "Remote Desktop Port Open To Internet",
   "severity": "HIGH",
   "category": "Networking and Firewall",
-  "descriptionText": "The Remote Desktop port is open in a Security Group",
+  "descriptionText": "The Remote Desktop port is open to the internet in a Security Group",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html",
   "platform": "CloudFormation",
   "descriptionID": "2e4ef03f",

assets/queries/cloudFormation/aws/remote_desktop_port_open/test/positive_expected_result.json

@@ -1,13 +1,13 @@
 [
   {
-    "queryName": "Remote Desktop Port Open",
+    "queryName": "Remote Desktop Port Open To Internet",
     "severity": "HIGH",
     "line": 8,
     "fileName": "positive1.yaml"
   },
   {
     "fileName": "positive2.json",
-    "queryName": "Remote Desktop Port Open",
+    "queryName": "Remote Desktop Port Open To Internet",
     "severity": "HIGH",
     "line": 10
   }

assets/queries/terraform/aws/http_port_open/metadata.json

@@ -1,9 +1,9 @@
 {
   "id": "ffac8a12-322e-42c1-b9b9-81ff85c39ef7",
-  "queryName": "HTTP Port Open",
+  "queryName": "HTTP Port Open To Internet",
   "severity": "HIGH",
   "category": "Networking and Firewall",
-  "descriptionText": "The HTTP port is open in a Security Group",
+  "descriptionText": "The HTTP port is open to the internet in a Security Group",
   "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group",
   "platform": "Terraform",
   "descriptionID": "a829609b",

assets/queries/terraform/aws/http_port_open/query.rego

@@ -5,7 +5,7 @@ import data.generic.terraform as terraLib
 CxPolicy[result] {
 	resource := input.document[i].resource.aws_security_group[name]
 
-	terraLib.openPort(resource.ingress, 80)
+	terraLib.portOpenToInternet(resource.ingress, 80)
 
 	result := {
 		"documentId": input.document[i].id,

assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json

@@ -1,11 +1,11 @@
 [
   {
-    "queryName": "HTTP Port Open",
+    "queryName": "HTTP Port Open To Internet",
     "severity": "HIGH",
     "line": 1
   },
   {
-    "queryName": "HTTP Port Open",
+    "queryName": "HTTP Port Open To Internet",
     "severity": "HIGH",
     "line": 14
   }

assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/query.rego

@@ -8,7 +8,7 @@ CxPolicy[result] {
 	resource := doc.resource.aws_network_acl[name]
 
 	is_array(resource.ingress)
-	terra_lib.openPort(resource.ingress[idx], 3389)
+	terra_lib.portOpenToInternet(resource.ingress[idx], 3389)
 
 	result := {
 		"documentId": input.document[i].id,
@@ -26,7 +26,7 @@ CxPolicy[result] {
 	net_acl_rule := doc.resource.aws_network_acl_rule[netAclRuleName]
 	split(net_acl_rule.network_acl_id, ".")[1] == netAclName
 
-	terra_lib.openPort(net_acl_rule, 3389)
+	terra_lib.portOpenToInternet(net_acl_rule, 3389)
 
 	result := {
 		"documentId": doc.id,
@@ -43,7 +43,7 @@ CxPolicy[result] {
 	resource := doc.resource.aws_network_acl[name]
 
 	not is_array(resource.ingress)
-	terra_lib.openPort(resource.ingress, 3389)
+	terra_lib.portOpenToInternet(resource.ingress, 3389)
 
 	result := {
 		"documentId": doc.id,
@@ -61,7 +61,7 @@ CxPolicy[result] {
 	common_lib.valid_key(module, keyToCheck)
 	rule := module[keyToCheck][idx]
 
-	terra_lib.openPort(rule, 3389)
+	terra_lib.portOpenToInternet(rule, 3389)
 
 	result := {
 		"documentId": input.document[i].id,

assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/query.rego

@@ -8,7 +8,7 @@ CxPolicy[result] {
 	resource := doc.resource.aws_network_acl[name]
 
 	is_array(resource.ingress)
-	terra_lib.openPort(resource.ingress[idx], 22)
+	terra_lib.portOpenToInternet(resource.ingress[idx], 22)
 
 	result := {
 		"documentId": doc.id,
@@ -26,7 +26,7 @@ CxPolicy[result] {
 	net_acl_rule := doc.resource.aws_network_acl_rule[netAclRuleName]
 	split(net_acl_rule.network_acl_id, ".")[1] == netAclName
 
-	terra_lib.openPort(net_acl_rule, 22)
+	terra_lib.portOpenToInternet(net_acl_rule, 22)
 
 	result := {
 		"documentId": doc.id,
@@ -43,7 +43,7 @@ CxPolicy[result] {
 	resource := doc.resource.aws_network_acl[name]
 
 	not is_array(resource.ingress)
-	terra_lib.openPort(resource.ingress, 22)
+	terra_lib.portOpenToInternet(resource.ingress, 22)
 
 	result := {
 		"documentId": doc.id,
@@ -61,7 +61,7 @@ CxPolicy[result] {
 	common_lib.valid_key(module, keyToCheck)
 	rule := module[keyToCheck][idx]
 
-	terra_lib.openPort(rule, 22)
+	terra_lib.portOpenToInternet(rule, 22)
 
 	result := {
 		"documentId": input.document[i].id,

assets/queries/terraform/aws/remote_desktop_port_open/metadata.json → assets/queries/terraform/aws/remote_desktop_port_open_to_internet/metadata.json

@@ -1,9 +1,9 @@
 {
   "id": "151187cb-0efc-481c-babd-ad24e3c9bc22",
-  "queryName": "Remote Desktop Port Open",
+  "queryName": "Remote Desktop Port Open To Internet",
   "severity": "HIGH",
   "category": "Networking and Firewall",
-  "descriptionText": "The Remote Desktop port is open in a Security Group",
+  "descriptionText": "The Remote Desktop port is open to the internet in a Security Group",
   "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group",
   "platform": "Terraform",
   "descriptionID": "aea02d46",

assets/queries/terraform/aws/remote_desktop_port_open/query.rego → assets/queries/terraform/aws/remote_desktop_port_open_to_internet/query.rego

@@ -5,7 +5,7 @@ import data.generic.terraform as terraLib
 CxPolicy[result] {
 	resource := input.document[i].resource.aws_security_group[name]
 
-	terraLib.openPort(resource.ingress, 3389)
+	terraLib.portOpenToInternet(resource.ingress, 3389)
 
 	result := {
 		"documentId": input.document[i].id,

assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json

@@ -0,0 +1,14 @@
+[
+  {
+    "queryName": "Remote Desktop Port Open To Internet",
+    "severity": "HIGH",
+    "line": 1,
+    "fileName": "positive.tf"
+  },
+  {
+    "queryName": "Remote Desktop Port Open To Internet",
+    "severity": "HIGH",
+    "line": 14,
+    "fileName": "positive.tf"
+  }
+]

assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/query.rego

@@ -6,7 +6,7 @@ import data.generic.terraform as terra_lib
 CxPolicy[result] {
 	resource := input.document[i].resource.aws_security_group[name]
 
-	terra_lib.openPort(resource.ingress, 22)
+	terra_lib.portOpenToInternet(resource.ingress, 22)
 
 	result := {
 		"documentId": input.document[i].id,
@@ -21,7 +21,7 @@ CxPolicy[result] {
 CxPolicy[result] {
 	module := input.document[i].module[name]
 	keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, "aws_security_group", "ingress_cidr_blocks")
-	terra_lib.openPort(module.ingress, 22)
+	terra_lib.portOpenToInternet(module.ingress, 22)
 
 	result := {
 		"documentId": input.document[i].id,

assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/query.rego

@@ -5,7 +5,7 @@ import data.generic.terraform as terraLib
 CxPolicy[result] {
 	resource := input.document[i].resource.aws_security_group[name]
 
-	terraLib.openPort(resource.ingress, 2383)
+	terraLib.portOpenToInternet(resource.ingress, 2383)
 
 	result := {
 		"documentId": input.document[i].id,

docs/docker/nightly.csv

@@ -261,3 +261,7 @@ scratch,fd4160fd,2022-05-04,sha256:ec5c8ac7d7b0793782c2a42d5cc3c6092d4d582eeed46
 alpine,fd4160fd,2022-05-04,sha256:ec5c8ac7d7b0793782c2a42d5cc3c6092d4d582eeed46c3c8094ca2344dc1423
 debian,fd4160fd,2022-05-04,sha256:ec36ec2197079b09ffe38ee5b68d4dfe0cf36efc47ceeaa72de4739a4c39dd36
 ubi8,fd4160fd,2022-05-04,sha256:1925dc6ee1d01c27e702a84bcedb4925304602988caf4d9f22a27555bcf2fbee
+scratch,c2993ec2,2022-05-05,sha256:3dc3e9cc84e1ee2ee45309f3a96b249aeddc2eea26ddb173edbf5e3780f6eb3e
+alpine,c2993ec2,2022-05-05,sha256:3dc3e9cc84e1ee2ee45309f3a96b249aeddc2eea26ddb173edbf5e3780f6eb3e
+debian,c2993ec2,2022-05-05,sha256:6ef241e07372a753f84a6e75a67491a2b101fe302c0baf198a6ad39f8cdda0d2
+ubi8,c2993ec2,2022-05-05,sha256:66be122109613eea6e85a3f25e50846f382d675b23a36ca8ddb42f556739c1fe

docs/docker/nightly.md

@@ -262,3 +262,7 @@ scratch  |  fd4160fd  |  2022-05-04  |  sha256:ec5c8ac7d7b0793782c2a42d5cc3c6092
 alpine   |  fd4160fd  |  2022-05-04  |  sha256:ec5c8ac7d7b0793782c2a42d5cc3c6092d4d582eeed46c3c8094ca2344dc1423
 debian   |  fd4160fd  |  2022-05-04  |  sha256:ec36ec2197079b09ffe38ee5b68d4dfe0cf36efc47ceeaa72de4739a4c39dd36
 ubi8     |  fd4160fd  |  2022-05-04  |  sha256:1925dc6ee1d01c27e702a84bcedb4925304602988caf4d9f22a27555bcf2fbee
+scratch  |  c2993ec2  |  2022-05-05  |  sha256:3dc3e9cc84e1ee2ee45309f3a96b249aeddc2eea26ddb173edbf5e3780f6eb3e
+alpine   |  c2993ec2  |  2022-05-05  |  sha256:3dc3e9cc84e1ee2ee45309f3a96b249aeddc2eea26ddb173edbf5e3780f6eb3e
+debian   |  c2993ec2  |  2022-05-05  |  sha256:6ef241e07372a753f84a6e75a67491a2b101fe302c0baf198a6ad39f8cdda0d2
+ubi8     |  c2993ec2  |  2022-05-05  |  sha256:66be122109613eea6e85a3f25e50846f382d675b23a36ca8ddb42f556739c1fe