diff --git a/.github/scripts/generate-positive-expected-results/add_issue_type.py b/.github/scripts/generate-positive-expected-results/add_issue_type.py new file mode 100644 index 00000000000..75c909983e9 --- /dev/null +++ b/.github/scripts/generate-positive-expected-results/add_issue_type.py @@ -0,0 +1,286 @@ +""" +Add the missing 'issueType' field to every positive_expected_result.json file. + +This script does NOT re-run any scans. It reads each query's query.rego to +determine the issueType(s) and matches them to existing expected-result entries +based on expectedValue / actualValue patterns. + +No existing field is modified — only 'issueType' is inserted. + +Usage: + python add_issue_type.py # normal run + python add_issue_type.py --dry # dry run (report only, no writes) +""" + +import json +import re +import sys +from pathlib import Path + +ASSETS_QUERIES_DIR = Path(__file__).resolve().parents[3] / "assets" / "queries" + +# ── Rego parsing ──────────────────────────────────────────────────────────── + +VALID_ISSUE_TYPES = {"MissingAttribute", "IncorrectValue", "RedundantAttribute", "BillOfMaterials"} + +# Keys used for issueType in different rego coding styles +_IT_KEYS = ("issueType", "it", "issueT", "type", "issue") +# Keys used for expected-value pattern +_EV_KEYS = ("keyExpectedValue", "kev", "solution") +# Keys used for actual-value pattern +_AV_KEYS = ("keyActualValue", "kav", "message") + + +def extract_string_or_sprintf(block: str, keys: tuple[str, ...] | str) -> str | None: + """Extract a literal string or the format-string from a sprintf call. + + ``keys`` can be a single key or a tuple of alternatives (first match wins). + """ + if isinstance(keys, str): + keys = (keys,) + for key in keys: + # "key": "literal" + m = re.search(rf'"{key}"\s*:\s*"([^"]*)"', block) + if m: + return m.group(1) + # "key": sprintf("format ...", [...]) + m = re.search(rf'"{key}"\s*:\s*sprintf\s*\(\s*"([^"]*)"', block) + if m: + return m.group(1) + return None + + +def _split_into_result_blocks(content: str) -> list[str]: + """Split rego content into logical blocks that each contain one result dict. + + We look for: + - CxPolicy[result] { ... } + - } else = res { ... } (helper function branches) + - functionName(...) = res { ... } + - functionName(...) = "IssueType" { (issueType helper functions) + Each "block" is the text from the opening brace to the next block boundary. + """ + openers = list(re.finditer( + r'(?:CxPolicy\s*\[\s*result\s*\]\s*\{|' # CxPolicy blocks + r'}\s*else\s*=\s*\w+\s*\{|' # else = res { + r'}\s*else\s*=\s*"[^"]*"\s*(?:#[^\n]*)?\n|' # else = "IncorrectValue" # comment\n + r'\w+\([^)]*\)\s*=\s*(?:res|result|issue)\s*\{|' # func(...) = res/issue { + r'\w+\([^)]*\)\s*=\s*"[^"]*"\s*\{)', # issueType(str) = "Value" { + content + )) + + blocks: list[str] = [] + for i, m in enumerate(openers): + start = m.end() + end = openers[i + 1].start() if i + 1 < len(openers) else len(content) + blocks.append(m.group() + content[start:end]) # include opener for context + + return blocks + + +def parse_rego_blocks(rego_path: Path) -> list[dict]: + """Return a list of dicts with issueType / expectedPattern / actualPattern. + + Handles direct issueType in CxPolicy blocks and indirect issueType via + helper functions with various key-name conventions. + """ + content = rego_path.read_text(encoding="utf-8") + blocks: list[dict] = [] + + result_blocks = _split_into_result_blocks(content) + + for block in result_blocks: + issue_type = None + + # 1. Check for known issueType keys with literal values + for key in _IT_KEYS: + m = re.search(rf'"{key}"\s*:\s*"([^"]+)"', block) + if m and m.group(1) in VALID_ISSUE_TYPES: + issue_type = m.group(1) + break + + # 2. Check for function-style: = "MissingAttribute" { or else = "Value" (comment) + if not issue_type: + m = re.search( + r'=\s*"(MissingAttribute|IncorrectValue|RedundantAttribute|BillOfMaterials)"', + block + ) + if m: + issue_type = m.group(1) + + if not issue_type: + continue + + blocks.append({ + "issueType": issue_type, + "expectedPattern": extract_string_or_sprintf(block, _EV_KEYS), + "actualPattern": extract_string_or_sprintf(block, _AV_KEYS), + }) + + return blocks + + +# ── Matching ──────────────────────────────────────────────────────────────── + +def _pattern_score(pattern: str | None, value: str) -> int: + """Score how well a sprintf/literal pattern matches a resolved value.""" + if not pattern: + return 0 + # Split the pattern on format specifiers (%s, %d, %v, …) and check + # whether the literal fragments appear in the value. + fragments = re.split(r'%[sdvfgtq]', pattern) + score = 0 + for frag in fragments: + frag = frag.strip() + if frag and frag in value: + score += len(frag) + return score + + +def match_issue_type(entry: dict, blocks: list[dict]) -> str | None: + """Determine the issueType for a single expected-result entry.""" + if not blocks: + return None + + unique = {b["issueType"] for b in blocks} + if len(unique) == 1: + return unique.pop() + + # Multiple issueTypes — score each block against the entry + actual = entry.get("actualValue", "") + expected = entry.get("expectedValue", "") + + best_type: str | None = None + best_score = -1 + + for block in blocks: + score = ( + _pattern_score(block["actualPattern"], actual) + + _pattern_score(block["expectedPattern"], expected) + ) + if score > best_score: + best_score = score + best_type = block["issueType"] + + return best_type + + +# ── File discovery ────────────────────────────────────────────────────────── + +def find_expected_result_files(query_dir: Path) -> list[Path]: + """Return all positive_expected_result.json files under the query's test dir.""" + test_dir = query_dir / "test" + if not test_dir.is_dir(): + return [] + return sorted(test_dir.rglob("positive_expected_result.json")) + + +def is_query_directory(p: Path) -> bool: + if not (p / "metadata.json").is_file(): + return False + return (p / "query.rego").is_file() or (p / "regex_rules.json").is_file() + + +# ── Main logic ────────────────────────────────────────────────────────────── + +def process_query(query_dir: Path, dry: bool) -> dict: + """Process one query directory. Returns a small stats dict.""" + stats = {"added": 0, "skipped": 0, "already": 0, "no_match": 0, "files": 0} + + rego_path = query_dir / "query.rego" + is_regex = (query_dir / "regex_rules.json").is_file() and not rego_path.is_file() + + if is_regex: + blocks: list[dict] = [] + default_issue_type = "RedundantAttribute" + else: + if not rego_path.is_file(): + return stats + blocks = parse_rego_blocks(rego_path) + default_issue_type = None + + result_files = find_expected_result_files(query_dir) + if not result_files: + return stats + + for rf in result_files: + with open(rf, "r", encoding="utf-8") as f: + entries = json.load(f) + + if not isinstance(entries, list): + continue + + modified = False + for entry in entries: + if "issueType" in entry: + stats["already"] += 1 + continue + + if default_issue_type: + it = default_issue_type + else: + it = match_issue_type(entry, blocks) + + if it is None: + stats["no_match"] += 1 + print(f" WARNING: could not determine issueType for entry in {rf}") + print(f" expectedValue: {entry.get('expectedValue', '')[:80]}") + print(f" actualValue: {entry.get('actualValue', '')[:80]}") + continue + + entry["issueType"] = it + stats["added"] += 1 + modified = True + + if modified and not dry: + with open(rf, "w", encoding="utf-8") as f: + json.dump(entries, f, indent=2, ensure_ascii=False) + f.write("\n") + + stats["files"] += 1 + + return stats + + +def main() -> None: + dry = "--dry" in sys.argv + + if dry: + print("=== DRY RUN — no files will be written ===\n") + + totals = {"added": 0, "skipped": 0, "already": 0, "no_match": 0, "files": 0, "queries": 0} + + for query_dir in sorted(ASSETS_QUERIES_DIR.rglob("*")): + if not query_dir.is_dir(): + continue + if not is_query_directory(query_dir): + continue + + stats = process_query(query_dir, dry) + if stats["files"] == 0: + continue + + totals["queries"] += 1 + for k in ("added", "skipped", "already", "no_match", "files"): + totals[k] += stats[k] + + label = query_dir.relative_to(ASSETS_QUERIES_DIR) + if stats["no_match"]: + print(f"[!] {label}: {stats}") + elif stats["added"]: + print(f"[+] {label}: added {stats['added']} issueType(s)") + + print(f"\n{'='*60}") + print(f"Queries processed : {totals['queries']}") + print(f"Files touched : {totals['files']}") + print(f"issueType added : {totals['added']}") + print(f"Already present : {totals['already']}") + print(f"No match (WARN) : {totals['no_match']}") + + if totals["no_match"]: + print("\n⚠ Some entries could not be matched. Review the warnings above.") + sys.exit(1) + + +if __name__ == "__main__": + main() diff --git a/.github/scripts/generate-positive-expected-results/generate.py b/.github/scripts/generate-positive-expected-results/generate.py new file mode 100644 index 00000000000..cb314e42567 --- /dev/null +++ b/.github/scripts/generate-positive-expected-results/generate.py @@ -0,0 +1,65 @@ +import json +from pathlib import Path + +import models + + +ASSETS_QUERIES_DIR = Path(__file__).resolve().parents[3] / "assets" / "queries" +EXCLUDED_DIRS: set[str] = set() + + +def is_query_directory(path: Path) -> bool: + """A directory is a query if it contains metadata.json and either query.rego or regex_rules.json.""" + if not (path / "metadata.json").is_file(): + return False + return (path / "query.rego").is_file() or (path / "regex_rules.json").is_file() + + +def extract_query_id(metadata_path: Path) -> str: + """Read the 'id' field from the query's metadata.json.""" + with open(metadata_path, "r", encoding="utf-8") as f: + metadata = json.load(f) + return metadata["id"] + + +def build_test_list() -> models.TestList: + """Walk assets/queries (excluding 'common') and collect QueryInfo for every query found.""" + test_list = models.TestList() + + for query_dir in sorted(ASSETS_QUERIES_DIR.rglob("*")): + if not query_dir.is_dir(): + continue + + # Skip anything under the 'common' top-level directory + relative = query_dir.relative_to(ASSETS_QUERIES_DIR) + if relative.parts[0] in EXCLUDED_DIRS: + continue + + if not is_query_directory(query_dir): + continue + + query_id = extract_query_id(query_dir / "metadata.json") + + query_info = models.QueryInfo( + test_path=str(query_dir / "test"), + results_file_path=str(query_dir / "results"), + id=query_id, + payload_path=str(query_dir / "payloads"), + results_info=[], + ) + + test_list.queries_list.append(query_info) + + return test_list + + +if __name__ == "__main__": + test_list = build_test_list() + + print(f"Total queries found: {len(test_list.queries_list)}\n") + for qi in test_list.queries_list: + print(f" ID: {qi.id}") + print(f" Test path: {qi.test_path}") + print(f" Results path: {qi.results_file_path}") + print(f" Payload path: {qi.payload_path}") + print() diff --git a/.github/scripts/generate-positive-expected-results/main.py b/.github/scripts/generate-positive-expected-results/main.py new file mode 100644 index 00000000000..844ce734f74 --- /dev/null +++ b/.github/scripts/generate-positive-expected-results/main.py @@ -0,0 +1,27 @@ +from runner import run_all +from write_expected_results import write_positive_expected_results, write_skipped_queries_report +from run_skipped import main as run_skipped_main + + +def main(): + # 1. Build test list, run scans and populate results_info + test_list = run_all() + + # 2. Write positive_expected_result.json for each query + print(f"\n{'='*60}") + print("Writing positive_expected_result.json files...\n") + write_positive_expected_results(test_list) + + # 3. Write skipped queries report + print(f"\n{'='*60}") + print("Writing skipped queries report...\n") + write_skipped_queries_report(test_list) + + # 4. Re-run skipped queries individually per test file + print(f"\n{'='*60}") + print("Re-running skipped queries with per-file scans...\n") + run_skipped_main() + + +if __name__ == "__main__": + main() diff --git a/.github/scripts/generate-positive-expected-results/models.py b/.github/scripts/generate-positive-expected-results/models.py new file mode 100644 index 00000000000..f5dfd4f0483 --- /dev/null +++ b/.github/scripts/generate-positive-expected-results/models.py @@ -0,0 +1,28 @@ +from dataclasses import dataclass, field + +@dataclass +class ResultInfo: + query_name: str + severity: str + line: str + filename: str + resource_type: str + resource_name: str + search_key: str + search_value: str + expected_value: str + actual_value: str + +@dataclass +class QueryInfo: + test_path: str + results_file_path: str + id: str + payload_path: str + results_info: list[ResultInfo] = field(default_factory=list) + return_code: int | None = None + is_bom: bool = False + +@dataclass +class TestList: + queries_list: list[QueryInfo] = field(default_factory=list) diff --git a/.github/scripts/generate-positive-expected-results/run_skipped.py b/.github/scripts/generate-positive-expected-results/run_skipped.py new file mode 100644 index 00000000000..7ff822a54f5 --- /dev/null +++ b/.github/scripts/generate-positive-expected-results/run_skipped.py @@ -0,0 +1,233 @@ +#!/usr/bin/env python3 +""" +Run scans for skipped queries individually (per test file) and write positive_expected_result.json. + +For queries that returned no results when scanning the whole test directory, this script +re-runs the scan once per individual positive test file so the query engine can isolate +matches that it misses when all files are scanned together. + +Usage: + python run_skipped.py [path/to/skipped_queries_report.json] + +Defaults to skipped_queries_report.json in the same directory as this script. +""" + +import json +import subprocess +import sys +from pathlib import Path + +SCRIPT_DIR = Path(__file__).resolve().parent +sys.path.insert(0, str(SCRIPT_DIR)) + +from write_expected_results import deduplicate_results + +KICS_ROOT = Path(__file__).resolve().parents[3] +GO_ENTRY_POINT = str(KICS_ROOT / "cmd" / "console" / "main.go") +DEFAULT_SKIPPED_REPORT = SCRIPT_DIR / "skipped_queries_report.json" + + +def get_positive_test_files(test_path: Path) -> list[Path]: + """Return all positive test files/dirs in the test dir (excluding positive_expected_result.json).""" + positives = [] + for item in sorted(test_path.iterdir()): + if item.name.startswith("positive") and item.name != "positive_expected_result.json": + positives.append(item) + return positives + + +def get_payload_for_test(test_file: Path, payload_dir: Path) -> Path: + """Return the individual payload file for a test file, falling back to all_payloads.json.""" + stem = test_file.stem if test_file.is_file() else test_file.name + individual = payload_dir / f"{stem}_payload.json" + if individual.is_file(): + return individual + return payload_dir / "all_payloads.json" + + +def run_individual_scan( + query_id: str, + test_file: Path, + results_dir: Path, + payload_file: Path, +) -> tuple[Path, int]: + """Run a scan on a single test file/dir. Returns (output_file_path, return_code).""" + stem = test_file.stem if test_file.is_file() else test_file.name + output_name = f"{stem}_results.json" + output_file = results_dir / output_name + + results_dir.mkdir(parents=True, exist_ok=True) + + cmd = [ + "go", "run", GO_ENTRY_POINT, "scan", + "-p", str(test_file), + "-o", str(results_dir), + "--output-name", output_name, + "-i", query_id, + "-d", str(payload_file), + "-v", + "--experimental-queries", + "--bom", + "--enable-openapi-refs", + ] + + print(f" $ {' '.join(cmd)}") + result = subprocess.run(cmd, cwd=str(KICS_ROOT)) + return output_file, result.returncode + + +def parse_results_from_file(results_file: Path) -> list[dict]: + """Parse a scan result JSON file and return a list of result dicts.""" + if not results_file.is_file(): + return [] + + with open(results_file, "r", encoding="utf-8") as f: + data = json.load(f) + + results = [] + bom_entries = data.get("bill_of_materials", []) + query_entries = data.get("queries", []) + all_entries = bom_entries if bom_entries else query_entries + + for q in all_entries: + query_name = q.get("query_name", "") + severity = q.get("severity", "") + for file_entry in q.get("files", []): + file_path = Path(file_entry.get("file_name", "")) + filename = file_path.name + + # Skip results from negative test files + if not filename.startswith("positive") and not file_path.parent.name.startswith("positive"): + continue + + results.append({ + "queryName": query_name, + "severity": severity, + "line": file_entry.get("line", ""), + "filename": filename, + "resourceType": file_entry.get("resource_type", ""), + "resourceName": file_entry.get("resource_name", ""), + "searchKey": file_entry.get("search_key", ""), + "searchValue": file_entry.get("search_value", ""), + "expectedValue": file_entry.get("expected_value", ""), + "actualValue": file_entry.get("actual_value", ""), + }) + + return results + + +def process_skipped_query(query: dict) -> dict[str, list[dict]]: + """Run per-file scans for a skipped query and return results grouped by destination. + + Returns a dict mapping destination paths (as strings) to their result lists. + For positive test files, results are grouped under the top-level test_path. + For positive test directories (which have their own positive_expected_result.json), + results are grouped under the subdirectory path. + """ + query_id = query["id"] + test_path = Path(query["test_path"]) + results_dir = Path(query["results_file_path"]) + payload_dir = test_path.parent / "payloads" + + print(f" Test path : {test_path}") + + if not test_path.is_dir(): + print(" ⚠ Test directory not found") + return {} + + positive_files = get_positive_test_files(test_path) + if not positive_files: + print(" ⚠ No positive test files found") + return {} + + print(f" Positive files: {[f.name for f in positive_files]}") + + # Group results by destination: top-level test_path for files, subdirectory for directories + results_by_dest: dict[str, list[dict]] = {} + + for test_file in positive_files: + payload_file = get_payload_for_test(test_file, payload_dir) + print(f"\n [{test_file.name}] payload → {payload_file.name}") + + output_file, return_code = run_individual_scan( + query_id=query_id, + test_file=test_file, + results_dir=results_dir, + payload_file=payload_file, + ) + + if return_code != 0: + print(f" ⚠ Scan failed with return code {return_code}") + else: + print(" ✓ Scan completed") + + file_results = parse_results_from_file(output_file) + print(f" → {len(file_results)} result(s) found") + + # Determine destination: subdirectory gets its own positive_expected_result.json + if test_file.is_dir(): + dest = str(test_file) + else: + dest = str(test_path) + + results_by_dest.setdefault(dest, []).extend(file_results) + + return results_by_dest + + +def write_positive_expected_result(test_path: Path, results: list[dict]) -> None: + """Deduplicate, sort, and write positive_expected_result.json to the test directory.""" + results = deduplicate_results(results) + results.sort(key=lambda r: ( + r["filename"], + r["line"] if isinstance(r["line"], int) else 0, + )) + + output_file = test_path / "positive_expected_result.json" + with open(output_file, "w", encoding="utf-8") as f: + json.dump(results, f, indent=2, ensure_ascii=False) + + print(f"\n ✓ Written: {output_file} ({len(results)} result(s))") + + +def main() -> None: + report_path = Path(sys.argv[1]) if len(sys.argv) > 1 else DEFAULT_SKIPPED_REPORT + + if not report_path.is_file(): + print(f"Error: report file not found: {report_path}", file=sys.stderr) + sys.exit(1) + + with open(report_path, "r", encoding="utf-8") as f: + skipped_queries = json.load(f) + + total = len(skipped_queries) + print(f"Processing {total} skipped quer{'y' if total == 1 else 'ies'} from: {report_path}") + print("=" * 60) + + still_skipped = [] + + for i, query in enumerate(skipped_queries, start=1): + print(f"\n[{i}/{total}] Query: {query['id']}") + results_by_dest = process_skipped_query(query) + + if not results_by_dest: + print(" ⚠ No results produced — skipping positive_expected_result.json") + still_skipped.append(query["id"]) + continue + + for dest_path, results in results_by_dest.items(): + if results: + write_positive_expected_result(Path(dest_path), results) + + print(f"\n{'=' * 60}") + succeeded = total - len(still_skipped) + print(f"Done: {succeeded}/{total} queries updated successfully") + + if still_skipped: + print(f"\nStill produced no results ({len(still_skipped)}):") + for qid in still_skipped: + print(f" - {qid}") + + +if __name__ == "__main__": + main() diff --git a/.github/scripts/generate-positive-expected-results/runner.py b/.github/scripts/generate-positive-expected-results/runner.py new file mode 100644 index 00000000000..81e1f66d96d --- /dev/null +++ b/.github/scripts/generate-positive-expected-results/runner.py @@ -0,0 +1,113 @@ +import json +import subprocess +from pathlib import Path + +from generate import build_test_list +from models import QueryInfo, ResultInfo, TestList + +KICS_ROOT = Path(__file__).resolve().parents[3] +GO_ENTRY_POINT = str(KICS_ROOT / "cmd" / "console" / "main.go") + + +def build_command(query: QueryInfo) -> list[str]: + """Build the go run scan command for a single query.""" + return [ + "go", "run", GO_ENTRY_POINT, "scan", + "-p", query.test_path, + "-o", query.results_file_path, + "--output-name", "all_results.json", + "-i", query.id, + "-d", f"{query.payload_path}/all_payloads.json", + "-v", + "--experimental-queries", + "--bom", + "--enable-openapi-refs" + ] + + +def parse_results(query: QueryInfo) -> list[ResultInfo]: + """Read all_results.json and extract ResultInfo entries for positive files.""" + results_file = Path(query.results_file_path) / "all_results.json" + if not results_file.is_file(): + return [] + + with open(results_file, "r", encoding="utf-8") as f: + data = json.load(f) + + results: list[ResultInfo] = [] + + bom_entries = data.get("bill_of_materials", []) + query_entries = data.get("queries", []) + + if bom_entries: + query.is_bom = True + + all_entries = bom_entries if bom_entries else query_entries + for q in all_entries: + query_name = q.get("query_name", "") + severity = q.get("severity", "") + + for file_entry in q.get("files", []): + file_path = Path(file_entry.get("file_name", "")) + filename = file_path.name + + # Skip results from negative test files — only positive files belong + # in positive_expected_result.json. Also check the parent directory name + # for cases where positive tests live inside subdirectories (e.g. positive2/). + if not filename.startswith("positive") and not file_path.parent.name.startswith("positive"): + continue + + results.append(ResultInfo( + query_name=query_name, + severity=severity, + line=str(file_entry.get("line", "")), + filename=filename, + resource_type=file_entry.get("resource_type", ""), + resource_name=file_entry.get("resource_name", ""), + search_key=file_entry.get("search_key", ""), + search_value=file_entry.get("search_value", ""), + expected_value=file_entry.get("expected_value", ""), + actual_value=file_entry.get("actual_value", ""), + )) + + return results + + +def run_all() -> TestList: + """Run scans for all queries and return TestList with results_info populated.""" + test_list = build_test_list() + total = len(test_list.queries_list) + failed = [] + + print(f"Running scan for {total} queries...\n") + + for i, query in enumerate(test_list.queries_list, start=1): + cmd = build_command(query) + print(f"[{i}/{total}] Scanning query {query.id}") + print(f" Command: {' '.join(cmd)}\n") + + result = subprocess.run(cmd, cwd=str(KICS_ROOT)) + query.return_code = result.returncode + + if result.returncode != 0: + failed.append(query.id) + print(f" ⚠ Query {query.id} exited with code {result.returncode}\n") + else: + print(f" ✓ Query {query.id} completed successfully\n") + + # Populate results_info from the generated all_results.json + query.results_info = parse_results(query) + + print(f"\n{'='*60}") + print(f"Finished: {total - len(failed)}/{total} succeeded, {len(failed)} failed") + + if failed: + print("\nFailed queries:") + for qid in failed: + print(f" - {qid}") + + return test_list + + +if __name__ == "__main__": + run_all() diff --git a/.github/scripts/generate-positive-expected-results/skipped_queries_report.json b/.github/scripts/generate-positive-expected-results/skipped_queries_report.json new file mode 100644 index 00000000000..8fd9fd8c43c --- /dev/null +++ b/.github/scripts/generate-positive-expected-results/skipped_queries_report.json @@ -0,0 +1,527 @@ +[ + { + "id": "1819ac03-542b-4026-976b-f37addd59f3b", + "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test", + "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 54, + "files_parsed": 4, + "lines_parsed": 54, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-10T21:09:36.862538133Z", + "end": "2026-03-10T21:09:37.125576984Z", + "paths": [ + "/home/ricardo/kics/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test" + ], + "queries": [] + } + }, + { + "id": "f6d299d2-21eb-41cc-b1e1-fe12d857500b", + "test_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test", + "results_file_path": "/home/ricardo/kics/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 4, + "lines_scanned": 280, + "files_parsed": 4, + "lines_parsed": 280, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-10T21:14:10.140367518Z", + "end": "2026-03-10T21:14:10.430882489Z", + "paths": [ + "/home/ricardo/kics/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test" + ], + "queries": [] + } + }, + { + "id": "b9c83569-459b-4110-8f79-6305aa33cb37", + "test_path": "/home/ricardo/kics/assets/queries/k8s/using_kubernetes_native_secret_management/test", + "results_file_path": "/home/ricardo/kics/assets/queries/k8s/using_kubernetes_native_secret_management/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 3, + "lines_scanned": 70, + "files_parsed": 3, + "lines_parsed": 66, + "lines_ignored": 4, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-10T21:21:17.55744331Z", + "end": "2026-03-10T21:21:17.854914524Z", + "paths": [ + "/home/ricardo/kics/assets/queries/k8s/using_kubernetes_native_secret_management/test" + ], + "queries": [] + } + }, + { + "id": "1ec163d0-a9be-4695-89a8-a4028a2cbae7", + "test_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 285, + "files_parsed": 8, + "lines_parsed": 277, + "lines_ignored": 8, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-10T21:36:41.360706913Z", + "end": "2026-03-10T21:36:41.728017239Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test" + ], + "queries": [] + } + }, + { + "id": "99b47957-c575-4555-b8c0-ff92384249b4", + "test_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 285, + "files_parsed": 8, + "lines_parsed": 277, + "lines_ignored": 8, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-10T21:36:42.947693087Z", + "end": "2026-03-10T21:36:43.329669351Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test" + ], + "queries": [] + } + }, + { + "id": "8553d83f-fe77-4c96-8850-a95c5895b336", + "test_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 285, + "files_parsed": 8, + "lines_parsed": 277, + "lines_ignored": 8, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-10T21:36:44.496885909Z", + "end": "2026-03-10T21:36:44.883018849Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test" + ], + "queries": [] + } + }, + { + "id": "1219a37a-9a2c-420d-8b8c-30bdbc3bfeb1", + "test_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 285, + "files_parsed": 8, + "lines_parsed": 277, + "lines_ignored": 8, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-10T21:36:46.245238204Z", + "end": "2026-03-10T21:36:46.758666376Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test" + ], + "queries": [] + } + }, + { + "id": "d0514e4b-9e95-4a7a-9bc5-0adb32514122", + "test_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 285, + "files_parsed": 8, + "lines_parsed": 277, + "lines_ignored": 8, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-10T21:36:48.132274021Z", + "end": "2026-03-10T21:36:48.519158635Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test" + ], + "queries": [] + } + }, + { + "id": "62d120b1-b1e0-40ef-a81d-a4994ac88b3b", + "test_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 285, + "files_parsed": 8, + "lines_parsed": 277, + "lines_ignored": 8, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-10T21:36:50.245121761Z", + "end": "2026-03-10T21:36:50.627450482Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test" + ], + "queries": [] + } + }, + { + "id": "a7b422e3-0b2f-4795-a43a-136dbbd6cbb3", + "test_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 285, + "files_parsed": 8, + "lines_parsed": 277, + "lines_ignored": 8, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-10T21:36:51.897827526Z", + "end": "2026-03-10T21:36:52.284502912Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test" + ], + "queries": [] + } + }, + { + "id": "b3b9ce2f-c229-4133-9a2b-4e649cf2347e", + "test_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 285, + "files_parsed": 8, + "lines_parsed": 277, + "lines_ignored": 8, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-10T21:36:53.462302745Z", + "end": "2026-03-10T21:36:53.832331011Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test" + ], + "queries": [] + } + }, + { + "id": "b97a1065-a86b-442f-86c4-f95afd9b3ac6", + "test_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 285, + "files_parsed": 8, + "lines_parsed": 277, + "lines_ignored": 8, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-10T21:36:55.0886508Z", + "end": "2026-03-10T21:36:55.488912552Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test" + ], + "queries": [] + } + }, + { + "id": "8ce5c61f-5cd1-41bc-b7d9-b26b18efd505", + "test_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 8, + "lines_scanned": 285, + "files_parsed": 8, + "lines_parsed": 277, + "lines_ignored": 8, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-10T21:36:56.718499014Z", + "end": "2026-03-10T21:36:57.096622134Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test" + ], + "queries": [] + } + }, + { + "id": "609839ae-bd81-4375-9910-5bce72ae7b92", + "test_path": "/home/ricardo/kics/assets/queries/terraform/azure/mssql_server_auditing_disabled/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/azure/mssql_server_auditing_disabled/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 3, + "lines_scanned": 103, + "files_parsed": 3, + "lines_parsed": 103, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-10T21:38:33.396715951Z", + "end": "2026-03-10T21:38:33.702529094Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/azure/mssql_server_auditing_disabled/test" + ], + "queries": [] + } + }, + { + "id": "4f60da73-190e-4048-8e1d-cc5a3974cd15", + "test_path": "/home/ricardo/kics/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test", + "results_file_path": "/home/ricardo/kics/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/results", + "return_code": 0, + "all_results": { + "kics_version": "development", + "files_scanned": 12, + "lines_scanned": 112, + "files_parsed": 12, + "lines_parsed": 112, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2026-03-10T21:40:41.995856833Z", + "end": "2026-03-10T21:40:42.339995358Z", + "paths": [ + "/home/ricardo/kics/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test" + ], + "queries": [] + } + } +] \ No newline at end of file diff --git a/.github/scripts/generate-positive-expected-results/test_list_output_personal_computer.json b/.github/scripts/generate-positive-expected-results/test_list_output_personal_computer.json new file mode 100644 index 00000000000..9cebc19c866 --- /dev/null +++ b/.github/scripts/generate-positive-expected-results/test_list_output_personal_computer.json @@ -0,0 +1,10864 @@ +{ + "queries_list": [ + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/alb_listening_on_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/alb_listening_on_http/results", + "id": "f81d63d2-c5d7-43a4-a5b5-66717a41c895", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/alb_listening_on_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ami_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ami_not_encrypted/results", + "id": "97707503-a22c-4cd7-b7c0-f088fa7cf830", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ami_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/results", + "id": "a19b2942-142e-4e2b-93b7-6cf6a6c8d90f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/results", + "id": "559439b2-3e9c-4739-ac46-17e3b24ec215", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/results", + "id": "72a931c2-12f5-40d1-93cc-47bff2f7aa2a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/results", + "id": "b16cdb37-ce15-4ab2-8401-d42b05d123fc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/results", + "id": "b47b98ab-e481-4a82-8bb1-1ab39fd36e33", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_without_waf/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_without_waf/results", + "id": "f5f38943-664b-4acc-ab11-f292fa10ed0b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_without_waf/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_xray_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_xray_disabled/results", + "id": "2059155b-27fd-441e-b616-6966c468561f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/api_gateway_xray_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/authentication_without_mfa/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/authentication_without_mfa/results", + "id": "eee107f9-b3d8-45d3-b9c6-43b5a7263ce1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/authentication_without_mfa/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/results", + "id": "050f085f-a8db-4072-9010-2cca235cc02f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/results", + "id": "857f8808-e96a-4ba8-a9b7-f2d4ec6cad94", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/results", + "id": "e28ceb92-d588-4166-aac5-766c8f5b7472", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/results", + "id": "defe5b18-978d-4722-9325-4d1975d3699f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/results", + "id": "5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cdn_configuration_is_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cdn_configuration_is_missing/results", + "id": "b25398a2-0625-4e61-8e4d-a1bb23905bf6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cdn_configuration_is_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/certificate_has_expired/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/certificate_has_expired/results", + "id": "5a443297-19d4-4381-9e5b-24faf947ec22", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/certificate_has_expired/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/results", + "id": "d5ec2080-340a-4259-b885-f833c4ea6a31", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudfront_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudfront_logging_disabled/results", + "id": "d31cb911-bf5b-4eb6-9fc3-16780c77c7bd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudfront_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/results", + "id": "d0c13053-d2c8-44a6-95da-d592996e9e67", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudfront_without_waf/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudfront_without_waf/results", + "id": "22c80725-e390-4055-8d14-a872230f6607", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudfront_without_waf/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/results", + "id": "4d8681a2-3d30-4c89-8070-08acd142748e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/results", + "id": "f5587077-3f57-4370-9b4e-4eb5b1bac85b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_logging_disabled/results", + "id": "d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/results", + "id": "6ad087d7-a509-4b20-b853-9ef6f5ebaa98", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/results", + "id": "ebb2118a-03bc-4d53-ab43-d8750f5cb8d3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/results", + "id": "5ba316a9-c466-4ec1-8d5b-bc6107dc9a92", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/results", + "id": "e24e18d9-4c2b-4649-b3d0-18c088145e24", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cmk_is_unusable/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cmk_is_unusable/results", + "id": "133fee21-37ef-45df-a563-4d07edc169f4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cmk_is_unusable/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cmk_rotation_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cmk_rotation_disabled/results", + "id": "af96d737-0818-4162-8c41-40d969bd65d1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cmk_rotation_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/codebuild_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/codebuild_not_encrypted/results", + "id": "a1423864-2fbc-4f46-bfe1-fbbf125c71c9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/codebuild_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/results", + "id": "a2fdf451-89dd-451e-af92-bf6c0f4bab96", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/results", + "id": "7674a686-e4b1-4a95-83d4-1fd53c623d84", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/results", + "id": "af167837-9636-4086-b815-c239186b9dda", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/db_instance_storage_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/db_instance_storage_not_encrypted/results", + "id": "7dfb316c-a6c2-454d-b8a2-97f147b0c0ff", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/db_instance_storage_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/db_security_group_open_to_large_scope/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/db_security_group_open_to_large_scope/results", + "id": "ea0ed1c7-9aef-4464-b7c7-94c762da3640", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/db_security_group_open_to_large_scope/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/db_security_group_with_public_scope/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/db_security_group_with_public_scope/results", + "id": "0956aedf-6a7a-478b-ab56-63e2b19923ad", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/db_security_group_with_public_scope/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/results", + "id": "8010e17a-00e9-4635-a692-90d6bcec68bd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ebs_volume_encryption_disabled/results", + "id": "4b6012e7-7176-46e4-8108-e441785eae57", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ebs_volume_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_group_has_public_interface/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_group_has_public_interface/results", + "id": "5330b503-3319-44ff-9b1c-00ee873f728a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_group_has_public_interface/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_instance_has_public_ip/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_instance_has_public_ip/results", + "id": "a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_instance_has_public_ip/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_instance_using_default_security_group/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_instance_using_default_security_group/results", + "id": "8d03993b-8384-419b-a681-d1f55149397c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_instance_using_default_security_group/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_instance_using_default_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_instance_using_default_vpc/results", + "id": "8833f180-96f1-46f4-9147-849aafa56029", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_instance_using_default_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_not_ebs_optimized/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_not_ebs_optimized/results", + "id": "338b6cab-961d-4998-bb49-e5b6a11c9a5c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ec2_not_ebs_optimized/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecr_image_tag_not_immutable/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecr_image_tag_not_immutable/results", + "id": "60bfbb8a-c72f-467f-a6dd-a46b7d612789", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecr_image_tag_not_immutable/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/results", + "id": "fb5a5df7-6d74-4243-ab82-ff779a958bfd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_service_admin_role_is_present/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_service_admin_role_is_present/results", + "id": "7db727c1-1720-468e-b80e-06697f71e09e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_service_admin_role_is_present/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_service_without_running_tasks/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_service_without_running_tasks/results", + "id": "f5c45127-1d28-4b49-a692-0b97da1c3a84", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_service_without_running_tasks/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address/results", + "id": "560f256b-0b45-4496-bcb5-733681e7d38d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/results", + "id": "01aec7c2-3e4d-4274-ae47-2b8fea22fd1f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/efs_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/efs_not_encrypted/results", + "id": "727c4fd4-d604-4df6-a179-7713d3c85e20", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/efs_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/efs_without_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/efs_without_kms/results", + "id": "bd77554e-f138-40c5-91b2-2a09f878608e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/efs_without_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/efs_without_tags/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/efs_without_tags/results", + "id": "b8a9852c-9943-4973-b8d5-77dae9352851", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/efs_without_tags/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elasticache_using_default_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elasticache_using_default_port/results", + "id": "7cc6c791-5f68-4816-a564-b9b699f9d26e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elasticache_using_default_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elasticache_without_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elasticache_without_vpc/results", + "id": "5527dcfc-94f9-4bf6-b7d4-1b78850cf41f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elasticache_without_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elasticsearch_with_https_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elasticsearch_with_https_disabled/results", + "id": "d6c2d06f-43c1-488a-9ba1-8d75b40fc62d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elasticsearch_with_https_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elb_using_insecure_protocols/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elb_using_insecure_protocols/results", + "id": "730a5951-2760-407a-b032-dd629b55c23a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elb_using_insecure_protocols/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elb_using_weak_ciphers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elb_using_weak_ciphers/results", + "id": "2034fb37-bc23-4ca0-8d95-2b9f15829ab5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/elb_using_weak_ciphers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/hardcoded_aws_access_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/hardcoded_aws_access_key/results", + "id": "c2f15af3-66a0-4176-a56e-e4711e502e5c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/hardcoded_aws_access_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/results", + "id": "f34508b9-f574-4330-b42d-88c44cced645", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/http_port_open_to_internet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/http_port_open_to_internet/results", + "id": "a14ad534-acbe-4a8e-9404-2f7e1045646e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/http_port_open_to_internet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_access_key_is_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_access_key_is_exposed/results", + "id": "7f79f858-fbe8-4186-8a2c-dfd0d958a40f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_access_key_is_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_database_auth_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_database_auth_not_enabled/results", + "id": "0ed012a4-9199-43d2-b9e4-9bd049a48aa4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_database_auth_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_group_without_users/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_group_without_users/results", + "id": "f509931b-bbb0-443c-bd9b-10e92ecf2193", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_group_without_users/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_password_without_minimum_length/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_password_without_minimum_length/results", + "id": "8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_password_without_minimum_length/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policies_attached_to_user/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policies_attached_to_user/results", + "id": "eafe4bc3-1042-4f88-b988-1939e64bf060", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policies_attached_to_user/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policies_with_full_privileges/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policies_with_full_privileges/results", + "id": "e401d614-8026-4f4b-9af9-75d1197461ba", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policies_with_full_privileges/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/results", + "id": "12a7a7ce-39d6-49dd-923d-aeb4564eb66c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policy_grants_full_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policy_grants_full_permissions/results", + "id": "b5ed026d-a772-4f07-97f9-664ba0b116f8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_policy_grants_full_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/results", + "id": "babdedcf-d859-43da-9a7b-6d72e661a8fd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/results", + "id": "b9ef8c0e-1392-4df4-aa84-2e0f95681c75", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/instance_with_no_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/instance_with_no_vpc/results", + "id": "61d1a2d0-4db8-405a-913d-5d2ce49dff6f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/instance_with_no_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/results", + "id": "f2ea6481-1d31-4d40-946a-520dc6321dd7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/kms_key_with_full_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/kms_key_with_full_permissions/results", + "id": "5b9d237a-57d5-4177-be0e-71434b0fef47", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/kms_key_with_full_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_function_without_tags/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_function_without_tags/results", + "id": "265d9725-2fb8-42a2-bc57-3279c5db82d5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_function_without_tags/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/results", + "id": "71397b34-1d50-4ee1-97cb-c96c34676f74", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_permission_misconfigured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_permission_misconfigured/results", + "id": "3ddf3417-424d-420d-8275-0724dc426520", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_permission_misconfigured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/results", + "id": "1d972c56-8ec2-48c1-a578-887adb09c57a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/results", + "id": "66477506-6abb-49ed-803d-3fa174cd5f6a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/misconfigured_password_policy_expiration/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/misconfigured_password_policy_expiration/results", + "id": "3f2cf811-88fa-4eda-be45-7a191a18aba9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/misconfigured_password_policy_expiration/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/no_stack_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/no_stack_policy/results", + "id": "ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/no_stack_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/password_without_reuse_prevention/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/password_without_reuse_prevention/results", + "id": "6f5f5444-1422-495f-81ef-24cefd61ed2c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/password_without_reuse_prevention/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/public_lambda_via_api_gateway/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/public_lambda_via_api_gateway/results", + "id": "5e92d816-2177-4083-85b4-f61b4f7176d9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/public_lambda_via_api_gateway/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/public_port_wide/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/public_port_wide/results", + "id": "71ea648a-d31a-4b5a-a589-5674243f1c33", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/public_port_wide/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_associated_with_public_subnet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_associated_with_public_subnet/results", + "id": "16732649-4ff6-4cd2-8746-e72c13fae4b8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_associated_with_public_subnet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/results", + "id": "c09e3ca5-f08a-4717-9c87-3919c5e6d209", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_using_default_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_using_default_port/results", + "id": "2cb674f6-32f9-40be-97f2-62c0dc38f0d5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_using_default_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_with_backup_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_with_backup_disabled/results", + "id": "e69890e6-fce5-461d-98ad-cb98318dfc96", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/rds_with_backup_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redis_not_compliant/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redis_not_compliant/results", + "id": "9f34885e-c08f-4d13-a7d1-cf190c5bd268", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redis_not_compliant/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redshift_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redshift_not_encrypted/results", + "id": "6a647814-def5-4b85-88f5-897c19f509cd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redshift_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redshift_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redshift_publicly_accessible/results", + "id": "5c6b727b-1382-4629-8ba9-abd1365e5610", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redshift_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redshift_using_default_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redshift_using_default_port/results", + "id": "e01de151-a7bd-4db4-b49b-3c4775a5e881", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/redshift_using_default_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/remote_desktop_port_open/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/remote_desktop_port_open/results", + "id": "eda7301d-1f3e-47cf-8d4e-976debc64341", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/remote_desktop_port_open/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/root_account_has_active_access_keys/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/root_account_has_active_access_keys/results", + "id": "e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/root_account_has_active_access_keys/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/route53_record_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/route53_record_undefined/results", + "id": "445dce51-7e53-4e50-80ef-7f94f14169e4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/route53_record_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/results", + "id": "3ab1f27d-52cc-4943-af1d-43c1939e739a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/results", + "id": "a1ef9d2e-4163-40cb-bd92-04f0d602a15d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/results", + "id": "75480b31-f349-4b9a-861f-bce19588e674", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/results", + "id": "6fa44721-ef21-41c6-8665-330d59461163", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/results", + "id": "53bce6a8-5492-4b1b-81cf-664385f0c4bf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/results", + "id": "d395a950-12ce-4314-a742-ac5a785ab44e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/results", + "id": "a0f1bfe0-741e-473f-b3b2-13e66f856fab", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_logging_disabled/results", + "id": "c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_with_all_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_with_all_permissions/results", + "id": "6a6d7e56-c913-4549-b5c5-5221e624d2ec", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_with_all_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_with_public_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_with_public_access/results", + "id": "c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_with_public_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/results", + "id": "3505094c-f77c-4ba0-95da-f83db712f86c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/results", + "id": "594f54e7-f744-45ab-93e4-c6dbaf6cd571", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_without_versioning/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_without_versioning/results", + "id": "9232306a-f839-40aa-b3ef-b352001da9a5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/s3_bucket_without_versioning/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/secure_ciphers_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/secure_ciphers_disabled/results", + "id": "218413a0-c716-4b94-9e08-0bb70d854709", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/secure_ciphers_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/security_group_ingress_not_restricted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/security_group_ingress_not_restricted/results", + "id": "ea6bc7a6-d696-4dcf-a788-17fa03c17c81", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/security_group_ingress_not_restricted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/results", + "id": "57ced4b9-6ba4-487b-8843-b65562b90c77", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/results", + "id": "8ed0bfce-f780-46d4-b086-21c3628f09ad", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/results", + "id": "905f4741-f965-45c1-98db-f7a00a0e5c73", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/results", + "id": "7af1c447-c014-4f05-bd8b-ebe3a15734ac", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_policy_allows_all_actions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_policy_allows_all_actions/results", + "id": "ed9b3beb-92cf-44d9-a9d2-171eeba569d4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_policy_allows_all_actions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_policy_with_public_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_policy_with_public_access/results", + "id": "d994585f-defb-4b51-b6d2-c70f020ceb10", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_policy_with_public_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_queue_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_queue_exposed/results", + "id": "86b0efa7-4901-4edd-a37a-c034bec6645a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_queue_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_with_sse_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_with_sse_disabled/results", + "id": "e1e7b278-2a8b-49bd-a26e-66a7f70b17eb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/sqs_with_sse_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/stack_notifications_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/stack_notifications_disabled/results", + "id": "d39761d7-94ab-45b0-ab5e-27c44e381d58", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/stack_notifications_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/stack_retention_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/stack_retention_disabled/results", + "id": "17d5ba1d-7667-4729-b1a6-b11fde3db7f7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/stack_retention_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/stack_without_template/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/stack_without_template/results", + "id": "32d31f1f-0f83-4721-b7ec-1e6948c60145", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/stack_without_template/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/unknown_port_exposed_to_internet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/unknown_port_exposed_to_internet/results", + "id": "722b0f24-5a64-4cca-aa96-cfc26b7e3a5b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/unknown_port_exposed_to_internet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/unrestricted_security_group_ingress/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/unrestricted_security_group_ingress/results", + "id": "83c5fa4c-e098-48fc-84ee-0a537287ddd2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/unrestricted_security_group_ingress/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/user_data_contains_encoded_private_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/user_data_contains_encoded_private_key/results", + "id": "c09f4d3e-27d2-4d46-9453-abbe9687a64e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/user_data_contains_encoded_private_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/results", + "id": "a6d27cf7-61dc-4bde-ae08-3b353b609f76", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/results", + "id": "fb8f8929-afeb-4c46-99f0-a6cf410f7df4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/results", + "id": "b176e927-bbe2-44a6-a9c3-041417137e5f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/results", + "id": "29f35127-98e6-43af-8ec1-201b79f99604", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/aks_monitoring_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/aks_monitoring_logging_disabled/results", + "id": "d5e83b32-56dd-4247-8c2e-074f43b38a5e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/aks_monitoring_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/aks_network_policy_misconfigured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/aks_network_policy_misconfigured/results", + "id": "8c3bedf1-c570-4c3b-b414-d068cd39a00c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/aks_network_policy_misconfigured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/aks_rbac_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/aks_rbac_disabled/results", + "id": "149fa56c-4404-4f90-9e25-d34b676d5b39", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/aks_rbac_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/azure_container_registry_with_no_locks/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/azure_container_registry_with_no_locks/results", + "id": "581dae78-307d-45d5-aae4-fe2b0db267a5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/azure_container_registry_with_no_locks/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/azure_instance_using_basic_authentication/results", + "id": "e2d834b7-8b25-4935-af53-4a60668dcbe0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/azure_instance_using_basic_authentication/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/results", + "id": "e8c80448-31d8-4755-85fc-6dbab69c2717", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/cosmosdb_account_without_tags/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/cosmosdb_account_without_tags/results", + "id": "23a4dc83-4959-4d99-8056-8e051a82bc1e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/cosmosdb_account_without_tags/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/results", + "id": "ca4df748-613a-4fbf-9c76-f02cbd580307", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/results", + "id": "69f72007-502e-457b-bd2d-5012e31ac049", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/results", + "id": "881696a8-68c5-4073-85bc-7c38a3deb854", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/log_retention_is_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/log_retention_is_not_set/results", + "id": "0461b4fd-21ef-4687-929e-484ee4796785", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/log_retention_is_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/results", + "id": "89f84a1e-75f8-47c5-83b5-bee8e2de4168", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/mysql_ssl_connection_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/mysql_ssl_connection_disabled/results", + "id": "2a901825-0f3b-4655-a0fe-e0470e50f8e6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/mysql_ssl_connection_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/results", + "id": "7ab33ac0-e4a3-418f-a673-50da4e34df21", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_connections_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_connections_not_set/results", + "id": "7b47138f-ec0e-47dc-8516-e7728fe3cc17", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_connections_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/results", + "id": "054d07b5-941b-4c28-8eef-18989dc62323", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_duration_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_duration_not_set/results", + "id": "729ebb15-8060-40f7-9017-cb72676a5487", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_log_duration_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/results", + "id": "a9becca7-892a-4af7-b9e1-44bf20a4cd9a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/public_storage_account/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/public_storage_account/results", + "id": "35e2f133-a395-40de-a79d-b260d973d1bd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/public_storage_account/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/results", + "id": "869e7fb4-30f0-4bdb-b360-ad548f337f2f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/redis_entirely_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/redis_entirely_accessible/results", + "id": "0d0c12b9-edce-4510-9065-13f6a758750c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/redis_entirely_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/redis_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/redis_publicly_accessible/results", + "id": "0632d0db-9190-450a-8bb3-c283bffea445", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/redis_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/results", + "id": "5c80db8e-03f5-43a2-b4af-1f3f87018157", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/security_group_is_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/security_group_is_not_configured/results", + "id": "da4f2739-174f-4cdd-b9ef-dc3f14b5931f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/security_group_is_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/results", + "id": "0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/small_activity_log_retention_period/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/small_activity_log_retention_period/results", + "id": "37fafbea-dedb-4e0d-852e-d16ee0589326", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/small_activity_log_retention_period/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/results", + "id": "f4e9ff70-0f3b-4c50-a713-26cbe7ec4039", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/results", + "id": "530e8291-2f22-4bab-b7ea-306f1bc2a308", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/results", + "id": "663062e9-473d-4e87-99bc-6f3684b3df40", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/ssl_enforce_is_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/ssl_enforce_is_disabled/results", + "id": "961ce567-a16d-4d7d-9027-f0ec2628a555", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/ssl_enforce_is_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/storage_account_not_forcing_https/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/storage_account_not_forcing_https/results", + "id": "2c99a474-2a3c-4c17-8294-53ffa5ed0522", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/storage_account_not_forcing_https/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/results", + "id": "c62746cf-92d5-4649-9acf-7d48d086f2ee", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/storage_container_is_publicly_accessible/results", + "id": "4d3817db-dd35-4de4-a80d-3867157e7f7f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/storage_container_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/results", + "id": "1bc398a8-d274-47de-a4c8-6ac867b353de", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/unrestricted_sql_server_acess/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/unrestricted_sql_server_acess/results", + "id": "3f23c96c-f9f5-488d-9b17-605b8da5842f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/unrestricted_sql_server_acess/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/vm_not_attached_to_network/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/vm_not_attached_to_network/results", + "id": "1e5f5307-3e01-438d-8da6-985307ed25ce", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/vm_not_attached_to_network/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/results", + "id": "2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/results", + "id": "eb8c2560-8bee-4248-9d0d-e80c8641dd91", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/results", + "id": "86b97bb4-85c9-462d-8635-cbc057c5c8c5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/communication_over_http_in_defaults/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/communication_over_http_in_defaults/results", + "id": "d7dc9350-74bc-485b-8c85-fed22d276c43", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/communication_over_http_in_defaults/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/results", + "id": "c6473dae-8477-4119-88b7-b909b435ce7b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/results", + "id": "404908b6-4954-4611-98f0-e8ceacdabcb1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/bigquery_dataset_is_public/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/bigquery_dataset_is_public/results", + "id": "2263b286-2fe9-4747-a0ae-8b4768a2bbd2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/bigquery_dataset_is_public/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/client_certificate_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/client_certificate_disabled/results", + "id": "20180133-a0d0-4745-bfe0-94049fbb12a9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/client_certificate_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/results", + "id": "80b15fb1-6207-40f4-a803-6915ae619a03", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/results", + "id": "6d34aff3-fdd2-460c-8190-756a3b4969e8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/results", + "id": "9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/results", + "id": "086031e1-9d4a-4249-acb3-5bfe4c363db2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/results", + "id": "507df964-ad97-4035-ab14-94a82eabdfdd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/results", + "id": "7814ddda-e758-4a56-8be3-289a81ded929", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cluster_labels_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cluster_labels_disabled/results", + "id": "fbe9b2d0-a2b7-47a1-a534-03775f3013f7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cluster_labels_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cluster_master_authentication_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cluster_master_authentication_disabled/results", + "id": "9df7f78f-ebe3-432e-ac3b-b67189c15518", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cluster_master_authentication_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/results", + "id": "829f1c60-2bab-44c6-8a21-5cd9d39a2c82", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cos_node_image_not_used/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cos_node_image_not_used/results", + "id": "be41f891-96b1-4b9d-b74f-b922a918c778", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/cos_node_image_not_used/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/disk_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/disk_encryption_disabled/results", + "id": "092bae86-6105-4802-99d2-99cd7e7431f3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/disk_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/dnssec_using_rsasha1/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/dnssec_using_rsasha1/results", + "id": "6cf4c3a7-ceb0-4475-8892-3745b84be24a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/dnssec_using_rsasha1/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_basic_authentication_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_basic_authentication_enabled/results", + "id": "344bf8ab-9308-462b-a6b2-697432e40ba1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_basic_authentication_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/results", + "id": "300a9964-b086-41f7-9378-b6de3ba1c32b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/results", + "id": "d43366c5-80b0-45de-bbe8-2338f4ab0a83", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_using_default_service_account/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_using_default_service_account/results", + "id": "dc126833-125a-40fb-905a-ce5f2afde240", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/gke_using_default_service_account/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/results", + "id": "29b8224a-60e9-4011-8ac2-7916a659841f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/results", + "id": "7289eebd-a477-4064-8ad4-3c044bd70b00", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/results", + "id": "3602d273-3290-47b2-80fa-720162b1a8af", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/results", + "id": "b28bcd2f-c309-490e-ab7c-35fc4023eb26", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/results", + "id": "6a4080ae-79bd-42f6-a924-8f534c1c018b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/results", + "id": "d58c6f24-3763-4269-9f5b-86b2569a003b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/results", + "id": "f9b7086b-deb8-4034-9330-d7fd38f1b8de", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/ip_aliasing_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/ip_aliasing_disabled/results", + "id": "ed672a9f-fbf0-44d8-a47d-779501b0db05", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/ip_aliasing_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/ip_forwarding_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/ip_forwarding_enabled/results", + "id": "11bd3554-cd56-4257-8e25-7aaf30cf8f5f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/ip_forwarding_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/results", + "id": "a7b520bb-2509-4fb0-be05-bc38f54c7a4c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/network_policy_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/network_policy_disabled/results", + "id": "98e04ca0-34f5-4c74-8fec-d2e611ce2790", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/network_policy_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/node_auto_upgrade_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/node_auto_upgrade_disabled/results", + "id": "d6e10477-2e19-4bcd-b8a8-19c65b89ccdf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/node_auto_upgrade_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/results", + "id": "66dae697-507b-4aef-be18-eec5bd707f33", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/results", + "id": "89afe3f0-4681-4ce3-89ed-896cebd4277c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_log_connections_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_log_connections_disabled/results", + "id": "d7a5616f-0a3f-4d43-bc2b-29d1a183e317", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_log_connections_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/results", + "id": "d6fae5b6-ada9-46c0-8b36-3108a2a2f77b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/results", + "id": "28a757fc-3d8f-424a-90c0-4233363b2711", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/results", + "id": "aed98a2a-e680-497a-8886-277cea0f4514", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/private_cluster_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/private_cluster_disabled/results", + "id": "3b30e3d6-c99b-4318-b38f-b99db74578b5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/private_cluster_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/results", + "id": "099b4411-d11e-4537-a0fc-146b19762a79", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/rdp_access_is_not_restricted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/rdp_access_is_not_restricted/results", + "id": "75418eb9-39ec-465f-913c-6f2b6a80dc77", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/rdp_access_is_not_restricted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/results", + "id": "c6fc6f29-dc04-46b6-99ba-683c01aff350", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/shielded_vm_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/shielded_vm_disabled/results", + "id": "18d3a83d-4414-49dc-90ea-f0387b2856cc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/shielded_vm_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/results", + "id": "0c82eae2-aca0-401f-93e4-fb37a0f9e5e8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/results", + "id": "7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/results", + "id": "d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/ssh_access_is_not_restricted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/ssh_access_is_not_restricted/results", + "id": "b2fbf1df-76dd-4d78-a6c0-e538f4a9b016", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/ssh_access_is_not_restricted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/stackdriver_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/stackdriver_logging_disabled/results", + "id": "19c9e2a0-fc33-4264-bba1-e3682661e8f7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/stackdriver_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/results", + "id": "20dcd953-a8b8-4892-9026-9afa6d05a525", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/using_default_service_account/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/using_default_service_account/results", + "id": "2775e169-e708-42a9-9305-b58aadd2c4dd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/using_default_service_account/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/vm_with_full_cloud_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/vm_with_full_cloud_access/results", + "id": "bc20bbc6-0697-4568-9a73-85af1dd97bdd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/gcp/vm_with_full_cloud_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/communication_over_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/communication_over_http/results", + "id": "2e8d4922-8362-4606-8c14-aa10466a1ce3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/communication_over_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/insecure_relative_path_resolution/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/insecure_relative_path_resolution/results", + "id": "8d22ae91-6ac1-459f-95be-d37bd373f244", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/insecure_relative_path_resolution/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/logging_of_sensitive_data/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/logging_of_sensitive_data/results", + "id": "59029ddf-e651-412b-ae7b-ff6d403184bc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/logging_of_sensitive_data/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/privilege_escalation_using_become_plugin/results", + "id": "0e75052f-cc02-41b8-ac39-a78017527e95", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/privilege_escalation_using_become_plugin/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/risky_file_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/risky_file_permissions/results", + "id": "88841d5c-d22d-4b7e-a6a0-89ca50e44b9f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/risky_file_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/unpinned_package_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/unpinned_package_version/results", + "id": "c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/general/unpinned_package_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/results", + "id": "1b2bf3ff-31e9-460e-bbfb-45e48f4f20cc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/account_admins_not_notified_by_email/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/account_admins_not_notified_by_email/results", + "id": "a8852cc0-fd4b-4fc7-9372-1e43fad0732e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/account_admins_not_notified_by_email/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/results", + "id": "25c0228e-4444-459b-a2df-93c7df40b7ed", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/results", + "id": "9307a2ed-35c2-413d-94de-a1a0682c2158", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_dashboard_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_dashboard_enabled/results", + "id": "c62d3b92-9a11-4ffd-b7b7-6faaae83faed", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_dashboard_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/results", + "id": "9b09dee1-f09b-4013-91d2-158fa4695f4b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/results", + "id": "2583fab1-953b-4fae-bd02-4a136a6c21f9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/app_service_authentication_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/app_service_authentication_not_set/results", + "id": "83130a07-235b-4a80-918b-a370e53f0bd9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/app_service_authentication_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/results", + "id": "6797f581-0433-4768-ae3e-7ceb2f8b138e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/results", + "id": "350f3955-b5be-436f-afaa-3d2be2fa6cdd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/results", + "id": "d855ced8-6157-448f-9f1d-f05a41d046f7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/email_notifications_set_off/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/email_notifications_set_off/results", + "id": "79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/email_notifications_set_off/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/results", + "id": "4d2cf896-c053-4be5-9c95-8b4771112f29", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/key_vault_not_recoverable/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/key_vault_not_recoverable/results", + "id": "7c25f361-7c66-44bf-9b69-022acd5eb4bd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/key_vault_not_recoverable/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/log_profile_incorrect_category/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/log_profile_incorrect_category/results", + "id": "4d522e7b-f938-4d51-a3b1-974ada528bd3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/log_profile_incorrect_category/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/results", + "id": "90120147-f2e7-4fda-bb21-6fa9109afd63", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/results", + "id": "59cb3da7-f206-4ae6-b827-7abf0a9cab9d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/results", + "id": "2ade1579-4b2c-4590-bebb-f99bf597f612", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/results", + "id": "3e9fcc67-1f64-405f-b2f9-0a6be17598f0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/results", + "id": "a6d774b6-d9ea-4bf4-8433-217bf15d2fb8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/results", + "id": "f9112910-c7bb-4864-9f5e-2059ba413bb7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/results", + "id": "e69bda39-e1e2-47ca-b9ee-b6531b23aedd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/results", + "id": "bf500309-da53-4dd3-bcf7-95f7974545a5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/results", + "id": "8fa9ceea-881f-4ef0-b0b8-728f589699a7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/secret_without_expiration_date/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/secret_without_expiration_date/results", + "id": "cff9c3f7-e8f0-455f-9fb4-5f72326da96e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/secret_without_expiration_date/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_alert_policy_without_emails/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_alert_policy_without_emails/results", + "id": "89b79fe5-49bd-4d39-84ce-55f5fc6f7764", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_alert_policy_without_emails/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/results", + "id": "6a3201a5-1630-494b-b294-3129d06b0eca", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/results", + "id": "574e8d82-1db2-4b9c-b526-e320ede9a9ff", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/results", + "id": "c09cdac2-7670-458a-bf6c-efad6880973a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_server_database_without_auditing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_server_database_without_auditing/results", + "id": "e055285c-bc01-48b4-8aa5-8a54acdd29df", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/sql_server_database_without_auditing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/standard_price_not_selected/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/standard_price_not_selected/results", + "id": "2081c7d6-2851-4cce-bda5-cb49d462da42", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/standard_price_not_selected/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_account_allows_network_default_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_account_allows_network_default_access/results", + "id": "9073f073-5d60-4b46-b569-0d6baa80ed95", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_account_allows_network_default_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/results", + "id": "1367dd13-2c90-4020-80b7-e4339a3dc2c4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/results", + "id": "a0ab985d-660b-41f7-ac81-70957ee8e627", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/results", + "id": "43f6e60c-9cdb-4e77-864d-a66595d26518", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/results", + "id": "e25b56cd-a4d6-498f-ab92-e6296a082097", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/results", + "id": "25684eac-daaa-4c2c-94b4-8d2dbb627909", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/results", + "id": "564b70f8-41cd-4690-aff8-bb53add86bc9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/results", + "id": "b5c851d5-00f1-43dc-a8de-3218fd6f71be", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_azure_active_directory_disabled/results", + "id": "e9c133e5-c2dd-4b7b-8fff-40f2de367b56", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_azure_active_directory_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_not_forcing_https/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_not_forcing_https/results", + "id": "488847ff-6031-487c-bf42-98fd6ac5c9a0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_not_forcing_https/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/results", + "id": "92302b47-b0cc-46cb-a28f-5610ecda140b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_with_http20enabled_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_with_http20enabled_disabled/results", + "id": "70111098-7f85-48f0-b1b4-e4261cf5f61b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/azureResourceManager/website_with_http20enabled_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/buildah/run_using_apt/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/buildah/run_using_apt/results", + "id": "a1bc27c6-7115-48d8-bf9d-5a7e836845ba", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/buildah/run_using_apt/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/run_block_injection/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/run_block_injection/results", + "id": "20f14e1a-a899-4e79-9f09-b6a84cd4649b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/run_block_injection/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/script_block_injection/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/script_block_injection/results", + "id": "62ff6823-927a-427f-acf9-f1ea2932d616", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/script_block_injection/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/results", + "id": "555ab8f9-2001-455e-a077-f2d0f41e2fb9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/unsecured_commands/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/unsecured_commands/results", + "id": "60fd272d-15f4-4d8f-afe4-77d9c6cc0453", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cicd/github/unsecured_commands/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/results", + "id": "800fa019-49dd-421b-9042-7331fdd83fa2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/results", + "id": "105ba098-1e34-48cd-b0f2-a8a43a51bf9b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/alb_listening_on_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/alb_listening_on_http/results", + "id": "275a3217-ca37-40c1-a6cf-bb57d245ab32", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/alb_listening_on_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/results", + "id": "3c3b7a58-b018-4d07-9444-d9ee7156e111", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/results", + "id": "5864fb39-d719-4182-80e2-89dbe627be63", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/results", + "id": "316278b3-87ac-444c-8f8f-a733a28da60f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/results", + "id": "73980e43-f399-4fcc-a373-658228f7adf7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/results", + "id": "71493c8b-3014-404c-9802-078b74496fb7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/results", + "id": "03b38885-8f4e-480c-a0e4-12c1affd15db", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/results", + "id": "dfb56e5d-ee68-446e-b32a-657b62befe69", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/results", + "id": "80d45af4-4920-4236-a56e-b7ef419d1941", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/results", + "id": "52790cad-d60d-41d5-8483-146f9f21208d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/results", + "id": "37cca703-b74c-48ba-ac81-595b53398e9b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/results", + "id": "06ec63e3-9f72-4fe2-a218-2eb9200b8db5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/results", + "id": "783860a3-6dca-4c8b-81d0-7b62769ccbca", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/results", + "id": "4a8daf95-709d-4a36-9132-d3e19878fa34", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/results", + "id": "3641d5b4-d339-4bc2-bfb9-208fe8d3477f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/results", + "id": "7f8f1b60-43df-4c28-aa21-fb836dbd8071", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/results", + "id": "d6653eee-2d4d-4e6a-976f-6794a497999a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_with_open_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_with_open_access/results", + "id": "1056dfbb-5802-4762-bf2b-8b9b9684b1b0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_with_open_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/results", + "id": "7fd0d461-5b8c-4815-898c-f2b4b117eb28", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/results", + "id": "8275fab0-68ec-4705-bbf4-86975edb170e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/results", + "id": "ed4c48b8-eccc-4881-95c1-09fdae23db25", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_waf/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_waf/results", + "id": "fcbf9019-566c-4832-a65c-af00d8137d2b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_without_waf/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/results", + "id": "4ab10c48-bedb-4deb-8f3b-ff12783b61de", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/results", + "id": "ad21e616-5026-4b9d-990d-5b007bfe679c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/results", + "id": "f0104061-8bfc-4b45-8a7d-630eb502f281", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/results", + "id": "76ddf32c-85b1-4808-8935-7eef8030ab36", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/results", + "id": "40078463-6806-4bc0-b86e-7f121df601c1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/results", + "id": "e4f54ff4-d352-40e8-a096-5141073c37a2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/results", + "id": "9ecb6b21-18bc-4aa7-bd07-db20f1c746db", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/results", + "id": "de77cd9f-0e8b-46cc-b4a4-b6b436838642", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/results", + "id": "31733ee2-fef0-4e87-9778-65da22a8ecf1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/results", + "id": "dc17ee4b-ddf2-4e23-96e8-7a36abad1303", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_without_waf/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_without_waf/results", + "id": "0f139403-303f-467c-96bd-e717e6cfd62d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudfront_without_waf/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/results", + "id": "2a3560fe-52ca-4443-b34f-bf0ed5eb74c8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/results", + "id": "050a9ba8-d1cb-4c61-a5e8-8805a70d3b85", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/results", + "id": "5c0b06d5-b7a4-484c-aeb0-75a836269ff0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/results", + "id": "058ac855-989f-4378-ba4d-52d004020da7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/results", + "id": "65d07da5-9af5-44df-8983-52d2e6f24c44", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/results", + "id": "3e09413f-471e-40f3-8626-990c79ae63f3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/results", + "id": "0f0fb06b-0f2f-4374-8588-f2c7c348c7a0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/results", + "id": "5d3c1807-acb3-4bb0-be4e-0440230feeaf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cmk_is_unusable/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cmk_is_unusable/results", + "id": "2844c749-bd78-4cd1-90e8-b179df827602", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cmk_is_unusable/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cmk_rotation_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cmk_rotation_disabled/results", + "id": "1c07bfaf-663c-4f6f-b22b-8e2d481e4df5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cmk_rotation_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/results", + "id": "ffee2785-c347-451e-89f3-11aeb08e5c84", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/codebuild_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/codebuild_not_encrypted/results", + "id": "d7467bb6-3ed1-4c82-8095-5e7a818d0aad", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/codebuild_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/results", + "id": "74a18d1a-cf02-4a31-8791-ed0967ad7fdc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/results", + "id": "9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/results", + "id": "1b6322d9-c755-4f8c-b804-32c19250f2d9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/results", + "id": "a5366a50-932f-4085-896b-41402714a388", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/results", + "id": "85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/results", + "id": "e5849a68-bdbe-4b70-97c6-6901f39f8094", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/results", + "id": "0104165b-02d5-426f-abc9-91fb48189899", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/results", + "id": "9564406d-e761-4e61-b8d7-5926e3ab8e79", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/default_kms_key_usage/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/default_kms_key_usage/results", + "id": "e52395b4-250b-4c60-81d5-2e58c1d37abc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/default_kms_key_usage/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/results", + "id": "ea33fcf7-394b-4d11-a228-985c5d08f205", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/results", + "id": "06b9f52a-8cd5-459b-bdc6-21a22521e1be", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/results", + "id": "6685d912-d81f-4cfa-95ad-e316ea31c989", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/results", + "id": "f988a17f-1139-46a3-8928-f27eafd8b024", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/results", + "id": "5f700072-b7ce-4e84-b3f3-497bf1c24a4d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/results", + "id": "39423ce4-9011-46cd-b6b1-009edcd9385d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/docdb_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/docdb_logging_disabled/results", + "id": "1bf3b3d4-f373-4d7c-afbb-7d85948a67a5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/docdb_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/results", + "id": "4bd21e68-38c1-4d58-acdc-6a14b203237f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/results", + "id": "0f04217d-488f-4e7a-bec8-f16159686cd6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/results", + "id": "c8dee387-a2e6-4a73-a942-183c975549ac", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/results", + "id": "c333e906-8d8b-4275-b999-78b6318f8dc6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/results", + "id": "80b7ac3f-d2b7-4577-9b10-df7913497162", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/results", + "id": "1819ac03-542b-4026-976b-f37addd59f3b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/results", + "id": "b7063015-6c31-4658-a8e7-14f98f37fd42", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/results", + "id": "f914357d-8386-4d56-9ba6-456e5723f9a6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/results", + "id": "0264093f-6791-4475-af34-4b8102dcbcd0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/results", + "id": "b3de4e4c-14be-4159-b99d-9ad194365e4c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/results", + "id": "08b81bb3-0985-4023-8602-b606ad81d279", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/results", + "id": "e42a3ef0-5325-4667-84bf-075ba1c9d58e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/results", + "id": "045ddb54-cfc5-4abb-9e05-e427b2bc96fe", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/results", + "id": "2623d682-dccb-44cd-99d0-54d9fd62f8f2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/results", + "id": "77b6f1e2-bde4-4a6a-ae7e-a40659ff1576", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/results", + "id": "8dd0ff1f-0da4-48df-9bb3-7f338ae36a40", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/results", + "id": "03879981-efa2-47a0-a818-c843e1441b88", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/results", + "id": "c44c95fc-ae92-4bb8-bdf8-bb9bc412004a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/results", + "id": "494b03d3-bf40-4464-8524-7c56ad0700ed", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/results", + "id": "33f41d31-86b1-46a4-81f7-9c9a671f59ac", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/results", + "id": "75be209d-1948-41f6-a8c8-e22dd0121134", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/results", + "id": "77a92b0e-b578-4a2e-bb0d-3c53ec4cfb7e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/results", + "id": "ab759fde-e1e8-4b0e-ad73-ba856e490ed8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/results", + "id": "6c131358-c54d-419b-9dd6-1f7dd41d180c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/results", + "id": "fb2b0ecf-1492-491a-a70d-ba1df579175d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/results", + "id": "01986452-bdd8-4aaa-b5df-d6bf61d616ff", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/results", + "id": "79d745f0-d5f3-46db-9504-bef73e9fd528", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/results", + "id": "c0c26068-fdf0-40e5-9b3b-fc8a5f585d2e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/results", + "id": "d24389b4-b209-4ff0-8345-dc7a4569dcdd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/results", + "id": "f4c9b5f5-68b8-491f-9e48-4f96644a1d51", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/results", + "id": "027a4b7a-8a59-4938-a04f-ed532512cf45", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_not_encrypted/results", + "id": "2ff8e83c-90e1-4d68-a300-6d652112e622", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/results", + "id": "c1282e03-b285-4637-aee7-eefe3a7bb658", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_without_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_without_kms/results", + "id": "6d087495-2a42-4735-abf7-02ef5660a7e6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_without_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_without_tags/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_without_tags/results", + "id": "08e39832-5e42-4304-98a0-aa5b43393162", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/efs_without_tags/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/results", + "id": "8e5ef52b-e673-4c3f-9b2e-99cdd0139059", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/eks_node_group_remote_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/eks_node_group_remote_access/results", + "id": "73d59e76-a12c-4b74-a3d8-d3e1e19c25b3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/eks_node_group_remote_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/results", + "id": "cfdef2e5-1fe4-4ef4-bea8-c56e08963150", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_using_default_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_using_default_port/results", + "id": "323db967-c68e-44e6-916c-a777f95af34b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_using_default_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/results", + "id": "e4ee3903-9225-4b6a-bdfb-e62dbadef821", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/results", + "id": "3b02569b-fc6f-4153-b3a3-ba91022fed68", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_without_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_without_vpc/results", + "id": "ba766c53-fe71-4bbb-be35-b6803f2ef13e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticache_without_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/results", + "id": "d926aa95-0a04-4abc-b20c-acf54afe38a1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/results", + "id": "43ed6fe0-edb6-43c2-97be-6501cf563d53", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/results", + "id": "86a248ab-0e01-4564-a82a-878303e253bb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/results", + "id": "4cdc88e6-c0c8-4081-a639-bb3a557cbedf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/results", + "id": "c420748a-bd4a-46c8-9541-93dd1e0ccf38", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/results", + "id": "f3a2dfb1-c8ff-47d1-a08a-aa329613a73c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/results", + "id": "5c666ed9-b586-49ab-9873-c495a833b705", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/results", + "id": "086ea2eb-14a6-4fd4-914b-38e0bc8703e8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_access_log_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_access_log_disabled/results", + "id": "ee12ad32-2863-4c0f-b13f-28272d115028", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_access_log_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/results", + "id": "78055456-f670-4d2e-94d5-392d1cf4f5e4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/results", + "id": "61a94903-3cd3-4780-88ec-fc918819b9c8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/results", + "id": "809f77f8-d10e-4842-a84f-3be7b6ff1190", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/results", + "id": "c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/results", + "id": "e200a6f3-c589-49ec-9143-7421d4a2c845", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/results", + "id": "01d5a458-a6c4-452a-ac50-054d59275b7c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_without_secure_protocol/results", + "id": "80908a75-586b-4c61-ab04-490f4f4525b8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/elb_without_secure_protocol/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/results", + "id": "7f384a5f-b5a2-4d84-8ca3-ee0a5247becb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/results", + "id": "48af92a5-c89b-4936-bc62-1086fe2bab23", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/results", + "id": "5b033ec8-f079-4323-b5c8-99d4620433a9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/emr_wihout_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/emr_wihout_vpc/results", + "id": "bf89373a-be40-4c04-99f5-746742dfd7f3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/emr_wihout_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/fully_open_ingress/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/fully_open_ingress/results", + "id": "e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/fully_open_ingress/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/results", + "id": "43356255-495d-4148-ad8d-f6af5eac09dd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/geo_restriction_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/geo_restriction_disabled/results", + "id": "7f8843f0-9ea5-42b4-a02b-753055113195", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/geo_restriction_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/github_repository_set_to_public/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/github_repository_set_to_public/results", + "id": "5906092d-5f74-490d-9a03-78febe0f65e1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/github_repository_set_to_public/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/guardduty_detector_disabled/results", + "id": "a25cd877-375c-4121-a640-730929936fac", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/guardduty_detector_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/results", + "id": "2564172f-c92b-4261-9acd-464aed511696", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/http_port_open/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/http_port_open/results", + "id": "ddfc4eaa-af23-409f-b96c-bf5c45dc4daa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/http_port_open/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/results", + "id": "8d29754a-2a18-460d-a1ba-9509f8d359da", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/results", + "id": "9fcd0a0a-9b6f-4670-a215-d94e6bf3f184", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/results", + "id": "6282794f-def8-4d6f-9df6-289318aa42b8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_group_without_users/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_group_without_users/results", + "id": "8f957abd-9703-413d-87d3-c578950a753c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_group_without_users/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_groups_inline_policies/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_groups_inline_policies/results", + "id": "a58d1a2d-4078-4b80-855b-84cc3f7f4540", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_groups_inline_policies/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/results", + "id": "0e5872b4-19a0-4165-8b2f-56d9e14b909f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/results", + "id": "b1b20ae3-8fa7-4af5-a74d-a2145920fcb1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/results", + "id": "edc95c10-7366-4f30-9b4b-f995c84eceb5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/results", + "id": "953b3cdb-ce13-428a-aa12-318726506661", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policies_without_groups/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policies_without_groups/results", + "id": "5e7acff5-095b-40ac-9073-ac2e4ad8a512", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policies_without_groups/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/results", + "id": "022f8938-4b17-420c-aca3-f917f290f322", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/results", + "id": "e835bd0d-65da-49f7-b6d1-b646da8727e6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/results", + "id": "f62aa827-4ade-4dc4-89e4-1433d384a368", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_on_user/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_on_user/results", + "id": "e4239438-e639-44aa-adb8-866e400e3ade", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_policy_on_user/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/results", + "id": "f80e3aa7-7b34-4185-954e-440a6894dde6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/results", + "id": "06adef8c-c284-4de7-aad2-af43b07a8ca1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/results", + "id": "48677914-6fdf-40ec-80c4-2b0e94079f54", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_user_with_no_group/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_user_with_no_group/results", + "id": "06933df4-0ea7-461c-b9b5-104d27390e0e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iam_user_with_no_group/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/results", + "id": "9e8c89b3-7997-4d15-93e4-7911b9db99fd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/results", + "id": "a4f5f706-80fd-4c96-9a24-6ab317d33d24", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/instance_with_no_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/instance_with_no_vpc/results", + "id": "8a6d36cd-0bc6-42b7-92c4-67acc8576861", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/instance_with_no_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/results", + "id": "4d32780f-43a4-424a-a06d-943c543576a5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/results", + "id": "be5b230d-4371-4a28-a441-85dc760e2aa3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/results", + "id": "7f65be75-90ab-4036-8c2a-410aef7bb650", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/results", + "id": "f6049677-ec4a-43af-8779-5190b6d03cba", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/results", + "id": "235ca980-eb71-48f4-9030-df0c371029eb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/results", + "id": "da905474-7454-43c0-b8d2-5756ab951aba", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/results", + "id": "c2eae442-d3ba-4cb1-84ca-1db4f80eae3d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_function_without_tags/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_function_without_tags/results", + "id": "8df8e857-bd59-44fa-9f4c-d77594b95b46", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_function_without_tags/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/results", + "id": "a0ae0a4e-712b-4115-8112-51b9eeed9d69", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/results", + "id": "ae03f542-1423-402f-9cef-c834e7ee9583", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/results", + "id": "9488c451-074e-4cd3-aee3-7db6104f542c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/results", + "id": "9b83114b-b2a1-4534-990d-06da015e47aa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/results", + "id": "1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/results", + "id": "e649a218-d099-4550-86a4-1231e1fcb60d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/results", + "id": "68b6a789-82f8-4cfd-85de-e95332fe6a61", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/results", + "id": "e519ed6a-8328-4b69-8eb7-8fa549ac3050", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/results", + "id": "0ce1ba20-8ba8-4364-836f-40c24b8cb0ab", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/results", + "id": "a976d63f-af0e-46e8-b714-8c1a9c4bf768", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/results", + "id": "fc7c2c15-f5d0-4b80-adb2-c89019f8f62b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/results", + "id": "a3aa0087-8228-4e7e-b202-dc9036972d02", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/results", + "id": "bf4473f1-c8a2-4b1b-8134-bd32efabab93", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/results", + "id": "63a847b2-3782-4dbb-b452-524bf038984b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/results", + "id": "57b12981-3816-4c31-b190-a1e614361dd2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/results", + "id": "4e88adee-a8eb-4605-a78d-9fb1096e3091", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/results", + "id": "de38e1d5-54cb-4111-a868-6f7722695007", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/results", + "id": "2c161e58-cb52-454f-abea-6470c37b5e6e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/results", + "id": "2b1d4935-9acf-48a7-8466-10d18bf51a69", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/results", + "id": "65844ba3-03a1-40a8-b3dd-919f122e8c95", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/results", + "id": "5beacce3-4020-4a3d-9e1d-a36f953df630", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_using_default_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_using_default_port/results", + "id": "1fe9d958-ddce-4228-a124-05265a959a8b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_using_default_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_with_backup_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_with_backup_disabled/results", + "id": "8c415f6f-7b90-4a27-a44a-51047e1506f9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/rds_with_backup_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/results", + "id": "3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/results", + "id": "de76a0d6-66d5-45c9-9022-f05545b85c78", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/results", + "id": "40d5e9cd-5cfd-41f9-be60-b6cf4e907917", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_not_encrypted/results", + "id": "3b316b05-564c-44a7-9c3f-405bb95e211e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_publicly_accessible/results", + "id": "bdf8dcb4-75df-4370-92c4-606e4ae6c4d3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_using_default_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_using_default_port/results", + "id": "a478af30-8c3a-404d-aa64-0b673cee509a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/redshift_using_default_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/refresh_token_is_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/refresh_token_is_exposed/results", + "id": "5b48c507-0d1f-41b0-a630-76817c6b4189", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/refresh_token_is_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/results", + "id": "c9846969-d066-431f-9b34-8c4abafe422a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/results", + "id": "4c137350-7307-4803-8c04-17c09a7a9fcf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/route53_record_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/route53_record_undefined/results", + "id": "24d932e1-91f0-46ea-836f-fdbd81694151", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/route53_record_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/routertable_with_default_routing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/routertable_with_default_routing/results", + "id": "4f0908b9-eb66-433f-9145-134274e1e944", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/routertable_with_default_routing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/results", + "id": "7772bb8c-c0f3-42d4-8e4e-f1b8939ad085", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/results", + "id": "07dda8de-d90d-469e-9b37-1aca53526ced", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/results", + "id": "219f4c95-aa50-44e0-97de-cf71f4641170", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/results", + "id": "835d5497-a526-4aea-a23f-98a9afd1635f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/results", + "id": "acc78859-765e-4011-a229-a65ea57db252", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/results", + "id": "f97b7d23-568f-4bcc-9ac9-02df0d57fbba", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/results", + "id": "faa8fddf-c0aa-4b2d-84ff-e993e233ebe9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/results", + "id": "48f100d9-f499-4c6d-b2b8-deafe47ffb26", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/results", + "id": "f6397a20-4cf1-4540-a997-1d363c25ef58", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/results", + "id": "456b00a3-1072-4149-9740-6b8bb60251b0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/results", + "id": "c3ce69fd-e3df-49c6-be78-1db3f802261c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/results", + "id": "4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/results", + "id": "37fa8188-738b-42c8-bf82-6334ea567738", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/results", + "id": "4ae8af91-5108-42cb-9471-3bdbe596eac9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/results", + "id": "860ba89b-b8de-4e72-af54-d6aee4138a69", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/results", + "id": "3609d27c-3698-483a-9402-13af6ae80583", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/results", + "id": "6c8d51af-218d-4bfb-94a9-94eabaa0703a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/results", + "id": "350cd468-0e2c-44ef-9d22-cfb73a62523c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/results", + "id": "b2e8752c-3497-4255-98d2-e4ae5b46bbf5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/results", + "id": "38c64e76-c71e-4d92-a337-60174d1de1c9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/results", + "id": "a227ec01-f97a-4084-91a4-47b350c1db54", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/results", + "id": "90501b1b-cded-4cc1-9e8b-206b85cda317", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/results", + "id": "709e6da6-fa1f-44cc-8f17-7f25f96dadbe", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/results", + "id": "88d55d94-315d-4564-beee-d2d725feab11", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/results", + "id": "44034eda-1c3f-486a-831d-e09a7dd94354", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/results", + "id": "9c7028d9-04c2-45be-b8b2-1188ccaefb36", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/results", + "id": "6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/results", + "id": "c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/results", + "id": "bed9762b-9bf6-4823-98e2-b1752bee0bf7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/secure_ciphers_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/secure_ciphers_disabled/results", + "id": "be96849c-3df6-49c2-bc16-778a7be2519c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/secure_ciphers_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/results", + "id": "1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/results", + "id": "ee464fc2-54a6-4e22-b10a-c6dcd2474d0c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/results", + "id": "dae9c373-8287-462f-8746-6f93dad93610", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/results", + "id": "a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/results", + "id": "1a427b25-2e9e-4298-9530-0499a55e736b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/results", + "id": "87482183-a8e7-4e42-a566-7a23ec231c16", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_rule_without_description/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_rule_without_description/results", + "id": "5e6c9c68-8a82-408e-8749-ddad78cbb9c5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_group_rule_without_description/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/results", + "id": "66f2d8f9-a911-4ced-ae27-34f09690bb2c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/results", + "id": "3ae83918-7ec7-4cb8-80db-b91ef0f94002", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/results", + "id": "cdbb0467-2957-4a77-9992-7b55b29df7b7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/results", + "id": "adcd0082-e90b-4b63-862b-21899f6e6a48", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/results", + "id": "6e856af2-62d7-4ba2-adc1-73b62cef9cc1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/results", + "id": "493d9591-6249-47bf-8dc0-5c10161cc558", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/results", + "id": "ad7444cf-817a-4765-a79e-2145f7981faf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/results", + "id": "ae53ce91-42b5-46bf-a84f-9a13366a4f13", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/results", + "id": "818f38ed-8446-4132-9c03-474d49e10195", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/results", + "id": "9d13b150-a2ab-42a1-b6f4-142e41f81e52", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/results", + "id": "9b6a3f5b-5fd6-40ee-9bc0-ed604911212d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/results", + "id": "12726829-93ed-4d51-9cbe-13423f4299e1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/stack_notifications_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/stack_notifications_disabled/results", + "id": "837e033c-4717-40bd-807e-6abaa30161b7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/stack_notifications_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/stack_retention_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/stack_retention_disabled/results", + "id": "fe974ae9-858e-4991-bbd5-e040a834679f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/stack_retention_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/support_has_no_role_associated/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/support_has_no_role_associated/results", + "id": "d71b5fd7-9020-4b2d-9ec8-b3839faa2744", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/support_has_no_role_associated/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/results", + "id": "9c30655c-f9a1-4296-b365-53c0bba80c76", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/results", + "id": "f57f849c-883b-4cb7-85e7-f7b199dff163", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/results", + "id": "829ce3b8-065c-41a3-ad57-e0accfea82d2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/results", + "id": "4a1e6b34-1008-4e61-a5f2-1f7c276f8d14", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/unscanned_ecr_image/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/unscanned_ecr_image/results", + "id": "9025b2b3-e554-4842-ba87-db7aeec36d35", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/unscanned_ecr_image/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/results", + "id": "568cc372-ca64-420d-9015-ee347d00d288", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/results", + "id": "a964d6e3-8e1e-4d93-8120-61fa640dd55a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/results", + "id": "97e94d17-e2c7-4109-a53b-6536ac1bb64e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/results", + "id": "f6d299d2-21eb-41cc-b1e1-fe12d857500b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/results", + "id": "3b3b4411-ad1f-40e7-b257-a78a6bb9673a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_without_network_firewall/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_without_network_firewall/results", + "id": "3e293410-d5b8-411f-85fd-7d26294f20c9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vpc_without_network_firewall/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/results", + "id": "b4d9c12b-bfba-4aeb-9cb8-2358546d8041", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/results", + "id": "6d64f311-3da6-45f3-80f1-14db9771ea40", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/results", + "id": "cc8b294f-006f-4f8f-b5bb-0a9140c33131", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/workspace_without_encryption/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/workspace_without_encryption/results", + "id": "89827c57-5a8a-49eb-9731-976a606d70db", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws/workspace_without_encryption/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/cassandra/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/cassandra/results", + "id": "124b173b-e06d-48a6-8acd-f889443d97a4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/cassandra/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/dynamo/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/dynamo/results", + "id": "4e67c0ae-38a0-47f4-a50c-f0c9b75826df", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/dynamo/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/ebs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/ebs/results", + "id": "0b0556ea-9cd9-476f-862e-20679dda752b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/ebs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/efs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/efs/results", + "id": "ef05a925-8568-4054-8ff1-f5ba82631c16", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/efs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/elasticache/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/elasticache/results", + "id": "c689f51b-9203-43b3-9d8b-caed123f706c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/elasticache/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/kinesis/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/kinesis/results", + "id": "d53323be-dde6-4457-9a43-42df737e71d2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/kinesis/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/mq/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/mq/results", + "id": "209189f3-c879-48a7-9703-fbcfa96d0cef", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/mq/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/msk/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/msk/results", + "id": "2730c169-51d7-4ae7-99b5-584379eff1bb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/msk/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/rds/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/rds/results", + "id": "6ef03ff6-a2bd-483c-851f-631f248bc0ea", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/rds/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/s3_bucket/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/s3_bucket/results", + "id": "b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/s3_bucket/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/sns/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/sns/results", + "id": "42e7dca3-8cce-4325-8df0-108888259136", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/sns/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/sqs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/sqs/results", + "id": "59a849c2-1127-4023-85a5-ef906dcd458c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_bom/sqs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/results", + "id": "0a994e04-c6dc-471d-817e-d37451d18a3b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/results", + "id": "60a05ede-0a68-4d0d-a58f-f538cf55ff79", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/results", + "id": "6b5b0313-771b-4319-ad7a-122ee78700ef", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/results", + "id": "a2f2800e-614b-4bc8-89e6-fec8afd24800", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/results", + "id": "c757c6a3-ac87-4b9d-b28d-e5a5add6a315", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/results", + "id": "a7f8ac28-eed1-483d-87c8-4c325f022572", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/results", + "id": "cb2f612b-ed42-4ff5-9fb9-255c73d39a18", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/results", + "id": "a71ecabe-03b6-456a-b3bc-d1a39aa20c98", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/results", + "id": "4ba74f01-aba5-4be2-83bc-be79ff1a3b92", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/results", + "id": "dc1ab429-1481-4540-9b1d-280e3f15f1f8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudfront_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudfront_logging_disabled/results", + "id": "7b590235-1ff4-421b-b9ff-5227134be9bb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudfront_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/results", + "id": "255b0fcc-9f82-41fe-9229-01b163e3376b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudfront_without_waf/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudfront_without_waf/results", + "id": "6d19ce0f-b3d8-4128-ac3d-1064e0f00494", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudfront_without_waf/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/results", + "id": "934613fe-b12c-4e5a-95f5-c1dcdffac1ff", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/results", + "id": "e50eb68a-a4af-4048-8bbe-8ec324421469", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/db_security_group_has_public_interface/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/db_security_group_has_public_interface/results", + "id": "dd667399-8d9d-4a8d-bbb4-e49ab53b2f52", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/db_security_group_has_public_interface/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/docdb_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/docdb_logging_disabled/results", + "id": "e6cd49ba-77ed-417f-9bca-4f5303554308", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/docdb_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/results", + "id": "0c7a76d9-7dc5-499e-81ac-9245839177cb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/efs_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/efs_not_encrypted/results", + "id": "72840c35-3876-48be-900d-f21b2f0c2ea1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/efs_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/efs_without_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/efs_without_kms/results", + "id": "bdecd6db-2600-47dd-a10c-72c97cf17ae9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/efs_without_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/elb_using_weak_ciphers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/elb_using_weak_ciphers/results", + "id": "a507daa5-0795-4380-960b-dd7bb7c56661", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/elb_using_weak_ciphers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/results", + "id": "83bf5aca-138a-498e-b9cd-ad5bc5e117b4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/results", + "id": "d9dc6429-5140-498a-8f55-a10daac5f000", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/sqs_with_sse_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/sqs_with_sse_disabled/results", + "id": "9296f1cc-7a40-45de-bd41-f31745488a0e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/aws/sqs_with_sse_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/azure/aks_rbac_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/azure/aks_rbac_disabled/results", + "id": "b2418936-cd47-4ea2-8346-623c0bdb87bd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/azure/aks_rbac_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/results", + "id": "6c7cfec3-c686-4ed2-bf58-a1ec054b63fc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/results", + "id": "6c2d627c-de0f-45fb-b33d-dad9bffbb421", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/results", + "id": "b4f65d13-a609-4dc1-af7c-63d2e08bffe9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/cgroup_not_default/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/cgroup_not_default/results", + "id": "4d9f44c6-2f4a-4317-9bb5-267adbea0232", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/cgroup_not_default/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/container_capabilities_unrestricted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/container_capabilities_unrestricted/results", + "id": "ce76b7d0-9e77-464d-b86f-c5c48e03e22d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/container_capabilities_unrestricted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/results", + "id": "451d79dc-0588-476a-ad03-3c7f0320abb3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/cpus_not_limited/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/cpus_not_limited/results", + "id": "6b610c50-99fb-4ef0-a5f3-e312fd945bc3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/cpus_not_limited/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/default_seccomp_profile_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/default_seccomp_profile_disabled/results", + "id": "404fde2c-bc4b-4371-9747-7054132ac953", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/default_seccomp_profile_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/docker_socket_mounted_in_container/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/docker_socket_mounted_in_container/results", + "id": "d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/docker_socket_mounted_in_container/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/healthcheck_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/healthcheck_not_set/results", + "id": "698ed579-b239-4f8f-a388-baa4bcb13ef8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/healthcheck_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/host_namespace_is_shared/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/host_namespace_is_shared/results", + "id": "4f31dd9f-2cc3-4751-9b53-67e4af83dac0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/host_namespace_is_shared/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/memory_not_limited/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/memory_not_limited/results", + "id": "bb9ac4f7-e13b-423d-a010-c74a1bfbe492", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/memory_not_limited/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/no_new_privileges_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/no_new_privileges_not_set/results", + "id": "27fcc7d6-c49b-46e0-98f1-6c082a6a2750", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/no_new_privileges_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/pids_limit_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/pids_limit_not_set/results", + "id": "221e0658-cb2a-44e3-b08a-db96a341d6fa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/pids_limit_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/privileged_containers_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/privileged_containers_enabled/results", + "id": "ae5b6871-7f45-42e0-bb4c-ab300c4d2026", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/privileged_containers_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/privileged_ports_mapped_in_container/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/privileged_ports_mapped_in_container/results", + "id": "bc2908f3-f73c-40a9-8793-c1b7d5544f79", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/privileged_ports_mapped_in_container/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/results", + "id": "2fc99041-ddad-49d5-853f-e35e70a48391", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/security_opt_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/security_opt_not_set/results", + "id": "610e266e-6c12-4bca-9925-1ed0cd29742b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/security_opt_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_host_ipc_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_host_ipc_namespace/results", + "id": "baa3890f-bed7-46f5-ab8f-1da8fc91c729", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_host_ipc_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_host_network_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_host_network_namespace/results", + "id": "071a71ff-f868-47a4-ac0b-3c59e4ab5443", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_host_network_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_host_user_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_host_user_namespace/results", + "id": "8af7162d-6c98-482f-868e-0d33fb675ca8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_host_user_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_volumes_between_containers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_volumes_between_containers/results", + "id": "8c978947-0ff6-485c-b0c2-0bfca6026466", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/shared_volumes_between_containers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/volume_has_sensitive_host_directory/results", + "id": "1c1325ff-831d-43a1-973e-839ae57dfcc0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/volume_has_sensitive_host_directory/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/results", + "id": "baa452f0-1f21-4a25-ace5-844e7a5f410d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/add_instead_of_copy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/add_instead_of_copy/results", + "id": "9513a694-aa0d-41d8-be61-3271e056f36b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/add_instead_of_copy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apk_add_using_local_cache_path/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apk_add_using_local_cache_path/results", + "id": "ae9c56a6-3ed1-4ac0-9b54-31267f51151d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apk_add_using_local_cache_path/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/results", + "id": "df746b39-6564-4fed-bf85-e9c44382303c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/results", + "id": "965a08d7-ef86-4f14-8792-4a3b2098937e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/results", + "id": "77783205-c4ca-4f80-bb80-c777f267c547", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/results", + "id": "7384dfb2-fcd1-4fbf-91cd-6c44c318c33c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/changing_default_shell_using_run_command/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/changing_default_shell_using_run_command/results", + "id": "8a301064-c291-4b20-adcb-403fe7fd95fd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/changing_default_shell_using_run_command/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/chown_flag_exists/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/chown_flag_exists/results", + "id": "aa93e17f-b6db-4162-9334-c70334e7ac28", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/chown_flag_exists/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/copy_from_references_current_from_alias/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/copy_from_references_current_from_alias/results", + "id": "cdddb86f-95f6-4fc4-b5a1-483d9afceb2b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/copy_from_references_current_from_alias/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/results", + "id": "6db6e0c2-32a3-4a2e-93b5-72c35f4119db", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/curl_or_wget_instead_of_add/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/curl_or_wget_instead_of_add/results", + "id": "4b410d24-1cbe-4430-a632-62c9a931cf1c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/curl_or_wget_instead_of_add/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/exposing_port_22/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/exposing_port_22/results", + "id": "5907595b-5b6d-4142-b173-dbb0e73fbff8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/exposing_port_22/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/gem_install_without_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/gem_install_without_version/results", + "id": "22cd11f7-9c6c-4f6e-84c0-02058120b341", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/gem_install_without_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/healthcheck_instruction_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/healthcheck_instruction_missing/results", + "id": "b03a748a-542d-44f4-bb86-9199ab4fd2d5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/healthcheck_instruction_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/image_version_not_explicit/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/image_version_not_explicit/results", + "id": "9efb0b2d-89c9-41a3-91ca-dcc0aec911fd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/image_version_not_explicit/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/image_version_using_latest/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/image_version_using_latest/results", + "id": "f45ea400-6bbe-4501-9fc7-1c3d75c32067", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/image_version_using_latest/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/last_user_is_root/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/last_user_is_root/results", + "id": "67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/last_user_is_root/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/maintainer_instruction_being_used/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/maintainer_instruction_being_used/results", + "id": "99614418-f82b-4852-a9ae-5051402b741c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/maintainer_instruction_being_used/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_dnf_clean_all/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_dnf_clean_all/results", + "id": "295acb63-9246-4b21-b441-7c1f1fb62dc0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_dnf_clean_all/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_flag_from_dnf_install/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_flag_from_dnf_install/results", + "id": "7ebd323c-31b7-4e5b-b26f-de5e9e477af8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_flag_from_dnf_install/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_user_instruction/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_user_instruction/results", + "id": "fd54f200-402c-4333-a5a4-36ef6709af2f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_user_instruction/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_version_specification_in_dnf_install/results", + "id": "93d88cf7-f078-46a8-8ddc-178e03aeacf1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_version_specification_in_dnf_install/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_zypper_clean/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_zypper_clean/results", + "id": "38300d1a-feb2-4a48-936a-d1ef1cd24313", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_zypper_clean/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_zypper_non_interactive_switch/results", + "id": "45e1fca5-f90e-465d-825f-c2cb63fa3944", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/missing_zypper_non_interactive_switch/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/multiple_cmd_instructions_listed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/multiple_cmd_instructions_listed/results", + "id": "41c195f4-fc31-4a5c-8a1b-90605538d49f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/multiple_cmd_instructions_listed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/results", + "id": "6938958b-3f1a-451c-909b-baeee14bdc97", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/results", + "id": "0008c003-79aa-42d8-95b8-1c2fe37dbfe6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/results", + "id": "b86987e1-6397-4619-81d5-8807f2387c79", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/npm_install_without_pinned_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/npm_install_without_pinned_version/results", + "id": "e36d8880-3f78-4546-b9a1-12f0745ca0d5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/npm_install_without_pinned_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/pip_install_keeping_cached_packages/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/pip_install_keeping_cached_packages/results", + "id": "f2f903fb-b977-461e-98d7-b3e2185c6118", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/pip_install_keeping_cached_packages/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_command_cd_instead_of_workdir/results", + "id": "f4a6bcd3-e231-4acf-993c-aa027be50d2e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_command_cd_instead_of_workdir/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_using_apt/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_using_apt/results", + "id": "b84a0b47-2e99-4c9f-8933-98bcabe2b94d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_using_apt/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_using_sudo/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_using_sudo/results", + "id": "8ada6e80-0ade-439e-b176-0b28f6bce35a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_using_sudo/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_using_wget_and_curl/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_using_wget_and_curl/results", + "id": "fc775e75-fcfb-4c98-b2f2-910c5858b359", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_using_wget_and_curl/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_utilities_and_posix_commands/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_utilities_and_posix_commands/results", + "id": "9b6b0f38-92a2-41f9-b881-3a1083d99f1b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/run_utilities_and_posix_commands/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/same_alias_in_different_froms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/same_alias_in_different_froms/results", + "id": "f2daed12-c802-49cd-afed-fe41d0b82fed", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/same_alias_in_different_froms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/results", + "id": "efbf148a-67e9-42d2-ac47-02fa1c0d0b22", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/unix_ports_out_of_range/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/unix_ports_out_of_range/results", + "id": "71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/unix_ports_out_of_range/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/unpinned_package_version_in_apk_add/results", + "id": "d3499f6d-1651-41bb-a9a7-de925fea487b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/unpinned_package_version_in_apk_add/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/unpinned_package_version_in_pip_install/results", + "id": "02d9c71f-3ee8-4986-9c27-1a20d0d19bfc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/unpinned_package_version_in_pip_install/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/update_instruction_alone/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/update_instruction_alone/results", + "id": "9bae49be-0aa3-4de5-bab2-4c3a069e40cd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/update_instruction_alone/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/using_platform_with_from/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/using_platform_with_from/results", + "id": "b16e8501-ef3c-44e1-a543-a093238099c9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/using_platform_with_from/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/using_unnamed_build_stages/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/using_unnamed_build_stages/results", + "id": "68a51e22-ae5a-4d48-8e87-b01a323605c9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/using_unnamed_build_stages/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/workdir_path_not_absolute/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/workdir_path_not_absolute/results", + "id": "6b376af8-cfe8-49ab-a08d-f32de23661a4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/workdir_path_not_absolute/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/yum_clean_all_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/yum_clean_all_missing/results", + "id": "00481784-25aa-4a55-8633-3136dfcf4f37", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/yum_clean_all_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/yum_install_allows_manual_input/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/yum_install_allows_manual_input/results", + "id": "6e19193a-8753-436d-8a09-76dcff91bb03", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/yum_install_allows_manual_input/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/yum_install_without_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/yum_install_without_version/results", + "id": "6452c424-1d92-4deb-bb18-a03e95d579c4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/yum_install_without_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/zypper_install_without_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/zypper_install_without_version/results", + "id": "562952e4-0348-4dea-9826-44f3a2c6117b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/dockerfile/zypper_install_without_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/results", + "id": "83103dff-d57f-42a8-bd81-40abab64c1a7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/results", + "id": "227c2f58-70c6-4432-8e9a-a89c1a548cf5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/results", + "id": "dd690686-2bf9-4012-a821-f61912dd77be", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/results", + "id": "313d6deb-3b67-4948-b41d-35b699c2492e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/results", + "id": "63ae3638-a38c-4ff4-b616-6e1f72a31a6a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/results", + "id": "77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/results", + "id": "ad0875c1-0b39-4890-9149-173158ba3bba", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/results", + "id": "8810968b-4b15-421d-918b-d91eb4bb8d1d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/results", + "id": "7ef7d141-9fbb-4679-a977-fd0883436906", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/results", + "id": "8212e2d7-e683-49bc-bf78-d6799075c5a7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/results", + "id": "dbe058d7-b82e-430b-8426-992b2e4677e7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/results", + "id": "fc040fb6-4c23-4c0d-b12a-39edac35debb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/results", + "id": "6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/results", + "id": "df58d46c-783b-43e0-bdd0-d99164f712ee", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/results", + "id": "62c8cf50-87f0-4295-a974-8184ed78fe02", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/results", + "id": "1239f54b-33de-482a-8132-faebe288e6a6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/results", + "id": "28727987-e398-49b8-aef1-8a3e7789d111", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/results", + "id": "7c98538a-81c6-444b-bf04-e60bc3ceeec0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/results", + "id": "c759d6f2-4dd3-4160-82d3-89202ef10d87", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/results", + "id": "c47f90e8-4a19-43f0-8413-cc434d286c4e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/results", + "id": "dc5c5fee-6c53-43b0-ab11-4c660e064aaf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/results", + "id": "a21b8df3-c840-4b3d-a41a-10fb2afda171", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/results", + "id": "e66e1b71-c810-4b4e-a737-0ab59e7f5e41", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/results", + "id": "48c61fbd-09c9-46cc-a521-012e0c325412", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/results", + "id": "6e2b1ec1-1eca-4eb7-9d4d-2882680b4811", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/results", + "id": "50cb6c3b-c878-4b88-b50e-d1421bada9e8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/results", + "id": "9038b526-4c19-4928-bca2-c03d503bdb79", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/results", + "id": "a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/results", + "id": "660360d3-9ca7-46d1-b147-3acc4002953f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/results", + "id": "dee21308-2a7a-49de-8ff7-c9b87e188575", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/results", + "id": "95601b9a-7fe8-4aee-9b58-d36fd9382dfc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/results", + "id": "bbfc97ab-e92a-4a7b-954c-e88cec815011", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp_bom/pd/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp_bom/pd/results", + "id": "268c65a8-58ad-43e4-9019-1a9bbc56749f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp_bom/pd/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp_bom/pst/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp_bom/pst/results", + "id": "9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp_bom/pst/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp_bom/sb/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp_bom/sb/results", + "id": "c7781feb-a955-4f9f-b9cf-0d7c6f54bb59", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/googleDeploymentManager/gcp_bom/sb/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/grpc/enum_name_not_camel_case/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/grpc/enum_name_not_camel_case/results", + "id": "daaace5f-c0dc-4835-b526-7a116b7f4b4e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/grpc/enum_name_not_camel_case/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/always_admit_admission_control_plugin_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/always_admit_admission_control_plugin_set/results", + "id": "ce30e584-b33f-4c7d-b418-a3d7027f8f60", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/always_admit_admission_control_plugin_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/results", + "id": "a77f4d07-c6e0-4a48-8b35-0eeb51576f4f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/anonymous_auth_is_not_set_to_false/results", + "id": "1de5cc51-f376-4638-a940-20f2e85ae238", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/anonymous_auth_is_not_set_to_false/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_maxage_not_properly_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_maxage_not_properly_set/results", + "id": "da9f3aa8-fbfb-472f-b5a1-576127944218", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_maxage_not_properly_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_maxbackup_not_properly_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_maxbackup_not_properly_set/results", + "id": "768aab52-2504-4a2f-a3e3-329d5a679848", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_maxbackup_not_properly_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_maxsize_not_properly_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_maxsize_not_properly_set/results", + "id": "35c0a471-f7c8-4993-aa2c-503a3c712a66", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_maxsize_not_properly_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_path_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_path_not_set/results", + "id": "73e251f0-363d-4e53-86e2-0a93592437eb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_log_path_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_policy_file_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_policy_file_not_defined/results", + "id": "13a49a2e-488e-4309-a7c0-d6b05577a5fb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_policy_file_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/results", + "id": "1828a670-5957-4bc5-9974-47da228f75e2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/authorization_mode_node_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/authorization_mode_node_not_set/results", + "id": "4d7ee40f-fc5d-427d-8cac-dffbe22d42d1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/authorization_mode_node_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/authorization_mode_rbac_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/authorization_mode_rbac_not_set/results", + "id": "1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/authorization_mode_rbac_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/authorization_mode_set_to_always_allow/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/authorization_mode_set_to_always_allow/results", + "id": "f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/authorization_mode_set_to_always_allow/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/auto_tls_set_to_true/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/auto_tls_set_to_true/results", + "id": "98ce8b81-7707-4734-aa39-627c6db3d84b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/auto_tls_set_to_true/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/basic_auth_file_is_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/basic_auth_file_is_set/results", + "id": "5da47109-f8d6-4585-9e2b-96a8958a12f5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/basic_auth_file_is_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/bind_address_not_properly_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/bind_address_not_properly_set/results", + "id": "46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/bind_address_not_properly_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/client_certificate_authentication_not_setup_properly/results", + "id": "e0e00aba-5f1c-4981-a542-9a9563c0ee20", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/client_certificate_authentication_not_setup_properly/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/results", + "id": "249328b8-5f0f-409f-b1dd-029f07882e11", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cluster_allows_unsafe_sysctls/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cluster_allows_unsafe_sysctls/results", + "id": "9127f0d9-2310-42e7-866f-5fd9d20dcbad", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cluster_allows_unsafe_sysctls/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cni_plugin_does_not_support_network_policies/results", + "id": "03aabc8c-35d6-481e-9c85-20139cf72d23", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cni_plugin_does_not_support_network_policies/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/container_is_privileged/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/container_is_privileged/results", + "id": "dd29336b-fe57-445b-a26e-e6aa867ae609", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/container_is_privileged/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/container_runs_unmasked/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/container_runs_unmasked/results", + "id": "f922827f-aab6-447c-832a-e1ff63312bd3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/container_runs_unmasked/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_run_with_low_uid/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_run_with_low_uid/results", + "id": "02323c00-cdc3-4fdc-a310-4f2b3e7a1660", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_run_with_low_uid/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_running_as_root/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_running_as_root/results", + "id": "cf34805e-3872-4c08-bf92-6ff7bb0cfadb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_running_as_root/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_with_added_capabilities/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_with_added_capabilities/results", + "id": "19ebaa28-fc86-4a58-bcfa-015c9e22fe40", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_with_added_capabilities/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_with_sys_admin_capabilities/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_with_sys_admin_capabilities/results", + "id": "235236ee-ad78-4065-bd29-61b061f28ce0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/containers_with_sys_admin_capabilities/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cpu_limits_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cpu_limits_not_set/results", + "id": "4ac0e2b7-d2d2-4af7-8799-e8de6721ccda", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cpu_limits_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cpu_requests_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cpu_requests_not_set/results", + "id": "ca469dd4-c736-448f-8ac1-30a642705e0a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cpu_requests_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cronjob_deadline_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cronjob_deadline_not_configured/results", + "id": "192fe40b-b1c3-448a-aba2-6cc19a300fe3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/cronjob_deadline_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/dashboard_is_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/dashboard_is_enabled/results", + "id": "d2ad057f-0928-41ef-a83c-f59203bb855b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/dashboard_is_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/deployment_has_no_pod_anti_affinity/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/deployment_has_no_pod_anti_affinity/results", + "id": "a31b7b82-d994-48c4-bd21-3bab6c31827a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/deployment_has_no_pod_anti_affinity/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/deployment_without_pod_disruption_budget/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/deployment_without_pod_disruption_budget/results", + "id": "b23e9b98-0cb6-4fc9-b257-1f3270442678", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/deployment_without_pod_disruption_budget/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/results", + "id": "a6f34658-fdfb-4154-9536-56d516f65828", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/encryption_provider_config_is_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/encryption_provider_config_is_not_defined/results", + "id": "cbd2db69-0b21-4c14-8a40-7710a50571a9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/encryption_provider_config_is_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/encryption_provider_not_properly_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/encryption_provider_not_properly_configured/results", + "id": "10efce34-5af6-4d83-b414-9e096d5a06a9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/encryption_provider_not_properly_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/ensure_administrative_boundaries_between_resources/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/ensure_administrative_boundaries_between_resources/results", + "id": "e84eaf4d-2f45-47b2-abe8-e581b06deb66", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/ensure_administrative_boundaries_between_resources/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/results", + "id": "9391103a-d8d7-4671-ac5d-606ba7ccb0ac", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_client_certificate_file_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_client_certificate_file_not_defined/results", + "id": "3f5ff8a7-5ad6-4d02-86f5-666307da1b20", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_client_certificate_file_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/results", + "id": "b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/results", + "id": "09bb9e96-8da3-4736-b89a-b36814acca60", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/results", + "id": "075ca296-6768-4322-aea2-ba5063b969a9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/results", + "id": "895a5a95-3756-4b04-9924-2f3bc93181bd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/results", + "id": "e0099af2-fe17-411f-9991-0de28fe15f3c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/results", + "id": "5744cbb8-5946-4b75-a196-ade44449525b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/hpa_targets_invalid_object/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/hpa_targets_invalid_object/results", + "id": "2f652c42-619d-4361-b361-9f599688f8ca", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/hpa_targets_invalid_object/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/results", + "id": "14abda69-8e91-4acb-9931-76e2bee90284", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/image_pull_policy_of_container_is_not_always/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/image_pull_policy_of_container_is_not_always/results", + "id": "caa3479d-885d-4882-9aac-95e5e78ef5c2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/image_pull_policy_of_container_is_not_always/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/image_without_digest/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/image_without_digest/results", + "id": "7c81d34c-8e5a-402b-9798-9f442630e678", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/image_without_digest/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/results", + "id": "3878dc92-8e5d-47cf-9cdd-7590f71d21b9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/ingress_controller_exposes_workload/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/ingress_controller_exposes_workload/results", + "id": "69bbc5e3-0818-4150-89cc-1e989b48f23b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/ingress_controller_exposes_workload/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/insecure_bind_address_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/insecure_bind_address_set/results", + "id": "b9380fd3-5ffe-4d10-9290-13e18e71eee1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/insecure_bind_address_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/insecure_port_not_properly_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/insecure_port_not_properly_set/results", + "id": "fa4def8c-1898-4a35-a139-7b76b1acdef0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/insecure_port_not_properly_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/invalid_image/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/invalid_image/results", + "id": "583053b7-e632-46f0-b989-f81ff8045385", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/invalid_image/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_certificate_authority_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_certificate_authority_not_set/results", + "id": "ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_certificate_authority_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/results", + "id": "36a27826-1bf5-49da-aeb0-a60a30c0e834", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/results", + "id": "52d70f2e-3257-474c-b3dc-8ad9ba6a061a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_event_qps_not_properly_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_event_qps_not_properly_set/results", + "id": "1a07a446-8e61-4e4d-bc16-b0781fcb8211", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_event_qps_not_properly_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_hostname_override_is_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_hostname_override_is_set/results", + "id": "bf36b900-b5ef-4828-adb7-70eb543b7cfb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_hostname_override_is_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_https_set_to_false/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_https_set_to_false/results", + "id": "cdc8b54e-6b16-4538-a1b0-35849dbe29cf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_https_set_to_false/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_not_managing_ip_tables/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_not_managing_ip_tables/results", + "id": "5f89001f-6dd9-49ff-9b15-d8cd71b617f4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_not_managing_ip_tables/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/results", + "id": "6cf42c97-facd-4fda-b8af-ea4529123355", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/results", + "id": "2940d48a-dc5e-4178-a3f8-bfbd80720b41", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/results", + "id": "ed89b97d-04e9-4fd4-919f-ee5b27e555e9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/liveness_probe_is_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/liveness_probe_is_not_defined/results", + "id": "ade74944-a674-4e00-859e-c6eab5bde441", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/liveness_probe_is_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/memory_limits_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/memory_limits_not_defined/results", + "id": "b14d1bc4-a208-45db-92f0-e21f8e2588e9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/memory_limits_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/memory_requests_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/memory_requests_not_defined/results", + "id": "229588ef-8fde-40c8-8756-f4f2b5825ded", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/memory_requests_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/metadata_label_is_invalid/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/metadata_label_is_invalid/results", + "id": "1123031a-f921-4c5b-bd86-ef354ecfd37a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/metadata_label_is_invalid/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/missing_app_armor_config/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/missing_app_armor_config/results", + "id": "8b36775e-183d-4d46-b0f7-96a6f34a723f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/missing_app_armor_config/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/results", + "id": "1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/results", + "id": "2270987f-bb51-479f-b8be-3ca73e5ad648", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/net_raw_capabilities_not_being_dropped/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/net_raw_capabilities_not_being_dropped/results", + "id": "dbbc6705-d541-43b0-b166-dd4be8208b54", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/net_raw_capabilities_not_being_dropped/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/network_policy_is_not_targeting_any_pod/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/network_policy_is_not_targeting_any_pod/results", + "id": "85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/network_policy_is_not_targeting_any_pod/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/no_drop_capabilities_for_containers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/no_drop_capabilities_for_containers/results", + "id": "268ca686-7fb7-4ae9-b129-955a2a89064e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/no_drop_capabilities_for_containers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/results", + "id": "33fc6923-6553-4fe6-9d3a-4efa51eb874b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/non_kube_system_pod_with_host_mount/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/non_kube_system_pod_with_host_mount/results", + "id": "aa8f7a35-9923-4cad-bd61-a19b7f6aac91", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/non_kube_system_pod_with_host_mount/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/results", + "id": "caa93370-791f-4fc6-814b-ba6ce0cb4032", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/not_unique_certificate_authority/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/not_unique_certificate_authority/results", + "id": "cb7e695d-6a85-495c-b15f-23aed2519303", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/not_unique_certificate_authority/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/object_is_using_a_deprecated_api_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/object_is_using_a_deprecated_api_version/results", + "id": "94b76ea5-e074-4ca2-8a03-c5a606e30645", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/object_is_using_a_deprecated_api_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/peer_auto_tls_set_to_true/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/peer_auto_tls_set_to_true/results", + "id": "ae8827e2-4af9-4baa-9998-87539ae0d6f0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/peer_auto_tls_set_to_true/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/permissive_access_to_create_pods/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/permissive_access_to_create_pods/results", + "id": "592ad21d-ad9b-46c6-8d2d-fad09d62a942", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/permissive_access_to_create_pods/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_misconfigured_network_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_misconfigured_network_policy/results", + "id": "0401f71b-9c1e-4821-ab15-a955caa621be", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_misconfigured_network_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_or_container_without_limit_range/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_or_container_without_limit_range/results", + "id": "4a20ebac-1060-4c81-95d1-1f7f620e983b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_or_container_without_limit_range/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_or_container_without_resource_quota/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_or_container_without_resource_quota/results", + "id": "48a5beba-e4c0-4584-a2aa-e6894e4cf424", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_or_container_without_resource_quota/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_or_container_without_security_context/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_or_container_without_security_context/results", + "id": "a97a340a-0063-418e-b3a1-3028941d0995", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_or_container_without_security_context/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/results", + "id": "afa36afb-39fe-4d94-b9b6-afb236f7a03d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/privilege_escalation_allowed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/privilege_escalation_allowed/results", + "id": "5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/privilege_escalation_allowed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/profiling_not_set_to_false/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/profiling_not_set_to_false/results", + "id": "2f491173-6375-4a84-b28e-a4e2b9a58a69", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/profiling_not_set_to_false/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_allows_privilege_escalation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_allows_privilege_escalation/results", + "id": "87554eef-154d-411d-bdce-9dbd91e56851", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_allows_privilege_escalation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_allows_sharing_host_ipc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_allows_sharing_host_ipc/results", + "id": "80f93444-b240-4ebb-a4c6-5c40b76c04ea", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_allows_sharing_host_ipc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_allows_sharing_host_pid/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_allows_sharing_host_pid/results", + "id": "91dacd0e-d189-4a9c-8272-5999a3cc32d9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_allows_sharing_host_pid/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_containers_share_host_network_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_containers_share_host_network_namespace/results", + "id": "a33e9173-b674-4dfb-9d82-cf3754816e4b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_containers_share_host_network_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_set_to_privileged/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_set_to_privileged/results", + "id": "c48e57d3-d642-4e0b-90db-37f807b41b91", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_set_to_privileged/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_with_added_capabilities/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_with_added_capabilities/results", + "id": "7307579a-3abb-46ad-9ce5-2a915634d5c8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_with_added_capabilities/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/results", + "id": "de4421f1-4e35-43b4-9783-737dd4e4a47e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_allow_privilege_escalation/results", + "id": "8320826e-7a9c-4b0b-9535-578333193432", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_allow_privilege_escalation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_attach_permission/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_attach_permission/results", + "id": "d45330fd-f58d-45fb-a682-6481477a0f84", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_attach_permission/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_exec_permission/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_exec_permission/results", + "id": "c589f42c-7924-4871-aee2-1cede9bc7cbc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_exec_permission/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_impersonate_permission/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_impersonate_permission/results", + "id": "9f85c3f6-26fd-4007-938a-2e0cb0100980", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_impersonate_permission/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/results", + "id": "38fa11ef-dbcc-4da8-9680-7e1fd855b6fb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/results", + "id": "b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_wildcard_in_rule/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_wildcard_in_rule/results", + "id": "6b896afb-ca07-467a-b256-1a0077a1c08e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rbac_wildcard_in_rule/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/readiness_probe_is_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/readiness_probe_is_not_configured/results", + "id": "a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/readiness_probe_is_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/request_timeout_not_properly_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/request_timeout_not_properly_set/results", + "id": "d89a15bb-8dba-4c71-9529-bef6729b9c09", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/request_timeout_not_properly_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/role_binding_to_default_service_account/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/role_binding_to_default_service_account/results", + "id": "1e749bc9-fde8-471c-af0c-8254efd2dee5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/role_binding_to_default_service_account/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/root_ca_file_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/root_ca_file_not_defined/results", + "id": "05fb986f-ac73-4ebb-a5b2-7faafa93d882", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/root_ca_file_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/root_container_not_mounted_as_read_only/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/root_container_not_mounted_as_read_only/results", + "id": "a9c2f49d-0671-4fc9-9ece-f4e261e128d0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/root_container_not_mounted_as_read_only/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/root_containers_admitted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/root_containers_admitted/results", + "id": "e3aa0612-4351-4a0d-983f-aefea25cf203", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/root_containers_admitted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/results", + "id": "1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/seccomp_profile_is_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/seccomp_profile_is_not_configured/results", + "id": "f377b83e-bd07-4f48-a591-60c82b14a78b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/seccomp_profile_is_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/secrets_as_environment_variables/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/secrets_as_environment_variables/results", + "id": "3d658f8b-d988-41a0-a841-40043121de1e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/secrets_as_environment_variables/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/secure_port_set_to_zero/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/secure_port_set_to_zero/results", + "id": "3d24b204-b73d-42cb-b0bf-1a5438c5f71e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/secure_port_set_to_zero/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/results", + "id": "6a68bebe-c021-492e-8ddb-55b0567fb768", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_admission_control_plugin_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_admission_control_plugin_disabled/results", + "id": "9587c890-0524-40c2-9ce2-663af7c2f063", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_admission_control_plugin_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_allows_access_secrets/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_allows_access_secrets/results", + "id": "056ac60e-fe07-4acc-9b34-8e1d51716ab9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_allows_access_secrets/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_key_file_not_properly_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_key_file_not_properly_set/results", + "id": "dab4ec72-ce2e-4732-b7c3-1757dcce01a1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_key_file_not_properly_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_lookup_set_to_false/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_lookup_set_to_false/results", + "id": "a5530bd7-225a-48f9-91bb-f40b04200165", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_lookup_set_to_false/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_name_undefined_or_empty/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_name_undefined_or_empty/results", + "id": "591ade62-d6b0-4580-b1ae-209f80ba1cd9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_name_undefined_or_empty/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_private_key_file_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_private_key_file_not_defined/results", + "id": "ccc98ff7-68a7-436e-9218-185cb0b0b780", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_private_key_file_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_token_automount_not_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_token_automount_not_disabled/results", + "id": "48471392-d4d0-47c0-b135-cdec95eb3eef", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_account_token_automount_not_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_does_not_target_pod/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_does_not_target_pod/results", + "id": "3ca03a61-3249-4c16-8427-6f8e47dda729", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_does_not_target_pod/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_type_is_nodeport/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_type_is_nodeport/results", + "id": "845acfbe-3e10-4b8e-b656-3b404d36dfb2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_type_is_nodeport/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_with_external_load_balancer/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_with_external_load_balancer/results", + "id": "26763a1c-5dda-4772-b507-5fca7fb5f165", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/service_with_external_load_balancer/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_host_ipc_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_host_ipc_namespace/results", + "id": "cd290efd-6c82-4e9d-a698-be12ae31d536", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_host_ipc_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_host_network_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_host_network_namespace/results", + "id": "6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_host_network_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_host_pid_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_host_pid_namespace/results", + "id": "302736f4-b16c-41b8-befe-c0baffa0bd9d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_host_pid_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_service_account/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_service_account/results", + "id": "c1032cf7-3628-44e2-bd53-38c17cf31b6b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/shared_service_account/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/results", + "id": "d740d048-8ed3-49d3-b77b-6f072f3b669e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_requests_storage/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_requests_storage/results", + "id": "8cf4671a-cf3d-46fc-8389-21e7405063a2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_requests_storage/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_without_pod_disruption_budget/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_without_pod_disruption_budget/results", + "id": "1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_without_pod_disruption_budget/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_without_service_name/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_without_service_name/results", + "id": "bb241e61-77c3-4b97-9575-c0f8a1e008d0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/statefulset_without_service_name/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/results", + "id": "49113af4-29ca-458e-b8d4-724c01a4a24f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/results", + "id": "e17fa86a-6222-4584-a914-56e8f6c87e06", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tiller_is_deployed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tiller_is_deployed/results", + "id": "6d173be7-545a-46c6-a81d-2ae52ed1605d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tiller_is_deployed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tiller_service_is_not_deleted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tiller_service_is_not_deleted/results", + "id": "8b862ca9-0fbd-4959-ad72-b6609bdaa22d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tiller_service_is_not_deleted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tls_connection_certificate_not_setup/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tls_connection_certificate_not_setup/results", + "id": "fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/tls_connection_certificate_not_setup/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/token_auth_file_is_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/token_auth_file_is_set/results", + "id": "32ecd76e-7bbf-402e-bf48-8b9485749558", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/token_auth_file_is_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/use_service_account_credentials_not_set_to_true/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/use_service_account_credentials_not_set_to_true/results", + "id": "1acd93f1-5a37-45c0-aaac-82ece818be7d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/use_service_account_credentials_not_set_to_true/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/using_kubernetes_native_secret_management/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/using_kubernetes_native_secret_management/results", + "id": "b9c83569-459b-4110-8f79-6305aa33cb37", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/using_kubernetes_native_secret_management/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/using_unrecommended_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/using_unrecommended_namespace/results", + "id": "611ab018-c4aa-4ba2-b0f6-a448337509a6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/using_unrecommended_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/results", + "id": "b7652612-de4e-4466-a0bf-1cd81f0c6063", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/weak_tls_cipher_suites/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/weak_tls_cipher_suites/results", + "id": "510d5810-9a30-443a-817d-5c1fa527b110", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/weak_tls_cipher_suites/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/workload_host_port_not_specified/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/workload_host_port_not_specified/results", + "id": "2b1836f1-dcce-416e-8e16-da8c71920633", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/workload_host_port_not_specified/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/results", + "id": "5308a7a8-06f8-45ac-bf10-791fe21de46e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/knative/serving_revision_spec_without_timeout_settings/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/knative/serving_revision_spec_without_timeout_settings/results", + "id": "e8bb41e4-2f24-4e84-8bea-8c7c070cf93d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/knative/serving_revision_spec_without_timeout_settings/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/basepath_with_wrong_format/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/basepath_with_wrong_format/results", + "id": "b4803607-ed72-4d60-99e2-3fa6edf471c6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/basepath_with_wrong_format/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/results", + "id": "c38d630d-a415-4e3e-bac2-65475979ba88", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/body_parameter_without_schema/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/body_parameter_without_schema/results", + "id": "ed48229d-d43e-4da7-b453-5f98d964a57a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/body_parameter_without_schema/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/constraining_enum_property/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/constraining_enum_property/results", + "id": "be1d8733-3731-40c7-a845-734741c6871d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/constraining_enum_property/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/results", + "id": "7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/global_schemes_uses_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/global_schemes_uses_http/results", + "id": "f30ee711-0082-4480-85ab-31d922d9a2b2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/global_schemes_uses_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/global_security_using_password_flow/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/global_security_using_password_flow/results", + "id": "2da46be4-4317-4650-9285-56d7103c4f93", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/global_security_using_password_flow/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/host_with_invalid_pattern/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/host_with_invalid_pattern/results", + "id": "3d7d7b6c-fb0a-475e-8a28-c125e30d15f0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/host_with_invalid_pattern/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/implicit_flow_oauth2/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/implicit_flow_oauth2/results", + "id": "e9817ad8-a8c9-4038-8a2f-db0e6e7b284b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/implicit_flow_oauth2/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/invalid_media_type_value/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/invalid_media_type_value/results", + "id": "f985a7d2-d404-4a7f-9814-f645f791e46e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/invalid_media_type_value/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/invalid_oauth2_token_url/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/invalid_oauth2_token_url/results", + "id": "274f910a-0665-4f08-b66d-7058fe927dba", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/invalid_oauth2_token_url/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/results", + "id": "33d96c65-977d-4c33-943f-440baca49185", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/results", + "id": "fb889ae9-2d16-40b5-b41f-9da716c5abc1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/results", + "id": "e9db5fb4-6a84-4abb-b4af-3b94fbdace6d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/results", + "id": "98295b32-ec09-4b5b-89a9-39853197f914", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/results", + "id": "b90033cf-ad9f-4fb9-acd1-1b9d6d278c87", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/results", + "id": "750f6448-27c0-49f8-a153-b81735c1e19c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/non_body_parameter_with_schema/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/non_body_parameter_with_schema/results", + "id": "73c3bc54-3cc6-4c0a-b30a-e19f2abfc951", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/non_body_parameter_with_schema/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/results", + "id": "ba239cb9-f342-4c20-812d-7b5a2aa6969e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/object_without_required_property/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/object_without_required_property/results", + "id": "5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/object_without_required_property/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/results", + "id": "2cf35b40-ded3-43d6-9633-c8dcc8bcc822", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/results", + "id": "eb3f9744-d24e-4614-b1ff-2a9514eca21c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_object_without_consumes/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_object_without_consumes/results", + "id": "0c79e50e-b3cf-490c-b8f6-587c644d4d0c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_object_without_consumes/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_object_without_produces/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_object_without_produces/results", + "id": "be3e170e-1572-461e-a8b6-d963def581ec", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_object_without_produces/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_summary_too_long/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_summary_too_long/results", + "id": "d47940ca-5970-45cc-bdd1-4d81398cee1f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_summary_too_long/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_using_basic_auth/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_using_basic_auth/results", + "id": "ceefb058-8065-418f-9c4c-584a78c7e104", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_using_basic_auth/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_using_implicit_flow/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_using_implicit_flow/results", + "id": "f42dfe7e-787d-4478-a75e-a5f3d8a2269e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_using_implicit_flow/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_using_password_flow/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_using_password_flow/results", + "id": "2e44e632-d617-43cb-b294-6bfe72a08938", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/operation_using_password_flow/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/results", + "id": "c3cab8c4-6c52-47a9-942b-c27f26fbd7d2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/results", + "id": "2596545e-1757-4ff7-a15a-8a9a180a42f3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/path_scheme_accepts_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/path_scheme_accepts_http/results", + "id": "a6847dc6-f4ea-45ac-a81f-93291ae6c573", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/path_scheme_accepts_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/property_not_unique/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/property_not_unique/results", + "id": "750b40be-4bac-4f59-bdc4-1ca0e6c3450e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/property_not_unique/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/response_object_incorrect_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/response_object_incorrect_ref/results", + "id": "bccfa089-89e4-47e0-a0e5-185fe6902220", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/response_object_incorrect_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/schema_object_incorrect_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/schema_object_incorrect_ref/results", + "id": "0220e1c5-65d1-49dd-b7c2-cef6d6cb5283", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/schema_object_incorrect_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/results", + "id": "3a01790c-ebee-4da6-8fd3-e78657383b75", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/schemes_uses_http copy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/schemes_uses_http copy/results", + "id": "a46928f1-43d7-4671-94e0-2dd99746f389", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/schemes_uses_http copy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/results", + "id": "773116aa-2e6d-416f-bd85-f0301cc05d76", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/results", + "id": "e3f026e8-fdb4-4d5a-bcfd-bd94452073fe", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/results", + "id": "221015a8-aa2a-43f5-b00b-ad7d2b1d47a8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/results", + "id": "a599b0d1-ff89-4cb8-9ece-9951854c06f6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/undefined_security_scope_global_security/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/undefined_security_scope_global_security/results", + "id": "9aa6e95c-d964-4239-a3a8-9f37a3c5a31f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/undefined_security_scope_global_security/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/results", + "id": "3847280c-9193-40bc-8009-76168e822ce2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unknown_prefix/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unknown_prefix/results", + "id": "3b615f00-c443-4ba9-acc4-7c308716917d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unknown_prefix/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unknown_property/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unknown_property/results", + "id": "429b2106-ba37-43ba-9727-7f699cc611e1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unknown_property/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unused_parameter_definition/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unused_parameter_definition/results", + "id": "b30981fa-a12e-49c7-a5bb-eeafb61d0f0f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unused_parameter_definition/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unused_response_definition/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unused_response_definition/results", + "id": "0b76d993-ee52-43e0-8b39-3787d2ddabf1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unused_response_definition/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unused_schema_definition/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unused_schema_definition/results", + "id": "6d2e0790-cc3d-4c74-b973-d4e8b09f4455", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/2.0/unused_schema_definition/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/additional_properties_too_permissive/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/additional_properties_too_permissive/results", + "id": "9f88c88d-824d-4d9a-b985-e22977046042", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/additional_properties_too_permissive/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/additional_properties_too_restrective/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/additional_properties_too_restrective/results", + "id": "a19c3bbd-c056-40d7-9e1c-eeb0634e320d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/additional_properties_too_restrective/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/results", + "id": "40e1d1bf-11a9-4f63-a3a2-a8b84c602839", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/callback_object_incorrect_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/callback_object_incorrect_ref/results", + "id": "ba066cda-e808-450d-92b6-f29109754d45", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/callback_object_incorrect_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/results", + "id": "86b1fa30-9790-4980-994d-a27e0f6f27c1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_callback_definition_unused/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_callback_definition_unused/results", + "id": "d15db953-a553-4b8a-9a14-a3d62ea3d79d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_callback_definition_unused/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_example_definition_unused/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_example_definition_unused/results", + "id": "b05bb927-2df5-43cc-8d7b-6825c0e71625", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_example_definition_unused/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_header_definition_unused/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_header_definition_unused/results", + "id": "a68da022-e95a-4bc2-97d3-481e0bd6d446", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_header_definition_unused/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_link_definition_unused/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_link_definition_unused/results", + "id": "c19779a9-5774-4d2f-a3a1-a99831730375", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_link_definition_unused/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/results", + "id": "151331e2-11f4-4bb6-bd35-9a005e695087", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_parameter_definition_unused/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_parameter_definition_unused/results", + "id": "698a464e-bb3e-4ba8-ab5e-e6599b7644a0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_parameter_definition_unused/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_request_body_definition_unused/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_request_body_definition_unused/results", + "id": "6b76f589-9713-44ab-97f5-59a3dba1a285", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_request_body_definition_unused/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_response_definition_unused/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_response_definition_unused/results", + "id": "9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_response_definition_unused/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_schema_definition_unused/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_schema_definition_unused/results", + "id": "962fa01e-b791-4dcc-b04a-4a3e7389be5e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/components_schema_definition_unused/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/empty_array/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/empty_array/results", + "id": "5915c20f-dffa-4cee-b5d4-f457ddc0151a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/empty_array/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/results", + "id": "4cd8de87-b595-48b6-ab3c-1904567135ab", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/results", + "id": "cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/results", + "id": "bac56e3c-1f71-4a74-8ae6-2fba07efcddb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/results", + "id": "77276d82-4f45-4cf1-8e2b-4d345b936228", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/global_server_uses_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/global_server_uses_http/results", + "id": "2d8c175a-6d90-412b-8b0e-e034ea49a1fe", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/global_server_uses_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/results", + "id": "2d6646f4-2946-420f-8c14-3232d49ae0cb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/header_object_without_schema/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/header_object_without_schema/results", + "id": "50de3b5b-6465-4e06-a9b0-b4c2ba34326b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/header_object_without_schema/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/results", + "id": "26f06397-36d8-4ce7-b993-17711261d777", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_media_type_value/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_media_type_value/results", + "id": "cf4a5f45-a27b-49df-843a-9911dbfe71d4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_media_type_value/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_oauth2_token_url/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_oauth2_token_url/results", + "id": "3ba0cca1-b815-47bf-ac62-1e584eb64a05", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_oauth2_token_url/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/results", + "id": "52c0d841-60d6-4a81-88dd-c35fef36d315", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/results", + "id": "f29904c8-6041-4bca-b043-dfa0546b8079", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/results", + "id": "6a2c219f-da5e-4745-941e-5ea8cde23356", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/results", + "id": "376c9390-7e9e-4cb8-a067-fd31c05451fd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/results", + "id": "801f0c6a-a834-4467-89c6-ddecffb46b5a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/results", + "id": "2e275f16-b627-4d3f-ae73-a6153a23ae8f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/results", + "id": "ca02f4e8-d3ae-4832-b7db-bb037516d9e7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/results", + "id": "7a01dfbd-da62-4165-aed7-71349ad42ab4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/results", + "id": "015eac96-6313-43c0-84e5-81b1374fa637", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/link_object_incorrect_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/link_object_incorrect_ref/results", + "id": "b9db8a10-020c-49ca-88c6-780e5fdb4328", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/link_object_incorrect_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/results", + "id": "c5bb7461-aa57-470b-a714-3bc3d74f4669", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/results", + "id": "60fb6621-9f02-473b-9424-ba9a825747d3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/media_type_object_without_schema/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/media_type_object_without_schema/results", + "id": "f79b9d26-e945-44e7-98a1-b93f0f7a68a0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/media_type_object_without_schema/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/results", + "id": "39cb32f2-3a42-4af0-8037-82a7a9654b6c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/oauth2_with_password_flow/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/oauth2_with_password_flow/results", + "id": "3979b0a4-532c-4ea7-86e4-34c090eaa4f2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/oauth2_with_password_flow/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/object_without_required_property/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/object_without_required_property/results", + "id": "d172a060-8569-4412-8045-3560ebd477e8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/object_without_required_property/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/results", + "id": "8bfed1c6-2d59-4924-bc7f-9b9d793ed0df", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/results", + "id": "d40f27e6-15fb-4b56-90f8-fc0ff0291c51", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_schema_content/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_schema_content/results", + "id": "31dd6fc0-f274-493b-9614-e063086c19fc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_schema_content/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_undefined_type/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_undefined_type/results", + "id": "46facedc-f243-4108-ab33-583b807d50b0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_undefined_type/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_without_schema/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_without_schema/results", + "id": "8fe1846f-52cc-4413-ace9-1933d7d23672", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/parameter_object_without_schema/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/path_server_uses_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/path_server_uses_http/results", + "id": "9670f240-7b4d-4955-bd93-edaa9fa38b58", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/path_server_uses_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/results", + "id": "59c2f769-7cc2-49c8-a3de-4e211135cfab", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/results", + "id": "4190dda7-af03-4cf0-a128-70ac1661ca09", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/results", + "id": "7f203940-39c4-4ea7-91ee-7aba16bca9e2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/results", + "id": "a4dd69b8-49fa-45d2-a060-c76655405b05", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/results", + "id": "d3ea644a-9a5c-4fee-941f-f8a6786c0470", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/request_body_incorrect_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/request_body_incorrect_ref/results", + "id": "0f6cd0ab-c366-4595-84fc-fbd8b9901e4d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/request_body_incorrect_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/results", + "id": "58f06434-a88c-4f74-826c-db7e10cc7def", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/response_object_incorrect_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/response_object_incorrect_ref/results", + "id": "b3871dd8-9333-4d6c-bd52-67eb898b71ab", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/response_object_incorrect_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/schema_object_incorrect_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/schema_object_incorrect_ref/results", + "id": "4cac7ace-b0fb-477d-830d-65395d9109d9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/schema_object_incorrect_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/results", + "id": "d2361d58-361c-49f0-9e50-b957fd608b29", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_field_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_field_undefined/results", + "id": "ab1263c2-81df-46f0-9f2c-0b62fdb68419", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_field_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_operation_field_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_operation_field_undefined/results", + "id": "20a482d5-c5d9-4a7a-b7a4-60d0805047b4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_operation_field_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/results", + "id": "37140f7f-724a-4c87-a536-e9cee1d61533", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_undefined/results", + "id": "8db5544e-4874-4baa-9322-e9f75a2d219e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_using_http_basic/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_using_http_basic/results", + "id": "68e5fcac-390c-4939-a373-6074b7be7c71", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_using_http_basic/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_using_http_digest/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_using_http_digest/results", + "id": "a4247b11-890b-45df-bf42-350a7a3af9be", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_using_http_digest/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/results", + "id": "f525cc92-9050-4c41-a75c-890dc6f64449", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/results", + "id": "06764426-3c56-407e-981f-caa25db1c149", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_schemes_using_oauth/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_schemes_using_oauth/results", + "id": "1bc3205c-0d60-44e6-84f3-44fbf4dac5b3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/security_schemes_using_oauth/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/server_object_variable_not_used/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/server_object_variable_not_used/results", + "id": "8aee4754-970d-4c5f-8142-a49dfe388b1a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/server_object_variable_not_used/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/server_url_not_absolute/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/server_url_not_absolute/results", + "id": "a0bf7382-5d5a-4224-924c-3db8466026c9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/server_url_not_absolute/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/results", + "id": "8d0921d6-4131-461f-a253-99e873f8f77e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/servers_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/servers_undefined/results", + "id": "c66ebeaa-676c-40dc-a3ff-3e49395dcd5e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/servers_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/results", + "id": "105e20dd-8449-4d71-95c6-d5dac96639af", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/undefined_security_scope_global_security/results", + "id": "23a9e2d9-8738-4556-a71c-2802b6ffa022", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/undefined_security_scope_global_security/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/results", + "id": "462d6a1d-fed9-4d75-bb9e-3de902f35e6e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/unknown_prefix/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/unknown_prefix/results", + "id": "a5375be3-521c-43bb-9eab-e2432e368ee4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/unknown_prefix/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/unknown_property/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/unknown_property/results", + "id": "fb7d81e7-4150-48c4-b914-92fc05da6a2f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/3.0/unknown_property/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/api_key_exposed_in_global_security/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/api_key_exposed_in_global_security/results", + "id": "aecee30b-8ea1-4776-a99c-d6d600f0862f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/api_key_exposed_in_global_security/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/api_key_exposed_in_operation_security/results", + "id": "281b8071-6226-4a43-911d-fec246d422c2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/api_key_exposed_in_operation_security/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/array_items_has_no_type/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/array_items_has_no_type/results", + "id": "be0e0df7-f3d9-42a1-9b6f-d425f94872c4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/array_items_has_no_type/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/array_without_maximum_number_items/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/array_without_maximum_number_items/results", + "id": "6998389e-66b2-473d-8d05-c8d71ac4d04d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/array_without_maximum_number_items/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/default_invalid/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/default_invalid/results", + "id": "a96bbc06-8cde-4295-ad3c-ee343a7f658e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/default_invalid/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/default_response_undefined_operations/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/default_response_undefined_operations/results", + "id": "86e3702f-c868-44b2-b61d-ea5316c18110", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/default_response_undefined_operations/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/example_not_compliant_with_schema_type/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/example_not_compliant_with_schema_type/results", + "id": "881a6e71-c2a7-4fe2-b9c3-dfcf08895331", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/example_not_compliant_with_schema_type/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/global_security_field_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/global_security_field_undefined/results", + "id": "8af270ce-298b-4405-9922-82a10aee7a4f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/global_security_field_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_parameter_named_as_accept/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_parameter_named_as_accept/results", + "id": "f2702af5-6016-46cb-bbc8-84c766032095", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_parameter_named_as_accept/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_parameter_named_as_authorization/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_parameter_named_as_authorization/results", + "id": "8c84f75e-5048-4926-a4cb-33e7b3431300", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_parameter_named_as_authorization/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_parameter_named_as_content_type/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_parameter_named_as_content_type/results", + "id": "72d259ca-9741-48dd-9f62-eb11f2936b37", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_parameter_named_as_content_type/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_response_name_is_invalid/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_response_name_is_invalid/results", + "id": "d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/header_response_name_is_invalid/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_contact_email/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_contact_email/results", + "id": "b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_contact_email/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_contact_url/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_contact_url/results", + "id": "332cf2ad-380d-4b90-b436-46f8e635cf38", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_contact_url/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_format/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_format/results", + "id": "d929c031-078f-4241-b802-e224656ad890", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_format/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_global_external_documentation_url/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_global_external_documentation_url/results", + "id": "b2d9dbf6-539c-4374-a1fd-210ddf5563a8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_global_external_documentation_url/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_license_url/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_license_url/results", + "id": "9239c289-9e4c-4d92-8be1-9d506057c971", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_license_url/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_operation_external_documentation_url/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_operation_external_documentation_url/results", + "id": "5ea61624-3733-4a3a-8ca4-b96fec9c5aeb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_operation_external_documentation_url/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_schema_external_documentation_url/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_schema_external_documentation_url/results", + "id": "6952a7e0-6e48-4285-bbc1-27c64e60f888", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_schema_external_documentation_url/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_tag_external_documentation_url/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_tag_external_documentation_url/results", + "id": "5aea1d7e-b834-4749-b143-2c7ec3bd5922", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/invalid_tag_external_documentation_url/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/items_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/items_undefined/results", + "id": "a8e859da-4a43-4e7f-94b8-25d6e3bf8e90", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/items_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/json_object_schema_without_properties/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/json_object_schema_without_properties/results", + "id": "9d967a2b-9d64-41a6-abea-dfc4960299bd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/json_object_schema_without_properties/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/json_object_schema_without_type/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/json_object_schema_without_type/results", + "id": "e2ffa504-d22a-4c94-b6c5-f661849d2db7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/json_object_schema_without_type/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/json_ref_alongside_properties/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/json_ref_alongside_properties/results", + "id": "96beb800-566f-49a9-a0ea-dbdf4bc80429", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/json_ref_alongside_properties/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/maximum_length_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/maximum_length_undefined/results", + "id": "8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/maximum_length_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/no_global_and_operation_security_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/no_global_and_operation_security_defined/results", + "id": "96729c6b-7400-4d9e-9807-17f00cdde4d2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/no_global_and_operation_security_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/non_array_schema_with_items/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/non_array_schema_with_items/results", + "id": "20cb3159-b219-496b-8dac-54ae3ab2021a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/non_array_schema_with_items/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/numeric_schema_without_format/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/numeric_schema_without_format/results", + "id": "fbf699b5-ef74-4542-9cf1-f6eeac379373", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/numeric_schema_without_format/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/numeric_schema_without_maximum/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/numeric_schema_without_maximum/results", + "id": "2ea04bef-c769-409e-9179-ee3a50b5c0ac", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/numeric_schema_without_maximum/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/numeric_schema_without_minimum/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/numeric_schema_without_minimum/results", + "id": "181bd815-767e-4e95-a24d-bb3c87328e19", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/numeric_schema_without_minimum/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/object_using_enum_with_keyword/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/object_using_enum_with_keyword/results", + "id": "2e9b6612-8f69-42e0-a5b8-ed17739c2f3a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/object_using_enum_with_keyword/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/operation_id_not_unique/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/operation_id_not_unique/results", + "id": "c254adc4-ef25-46e1-8270-b7944adb4198", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/operation_id_not_unique/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/operation_without_successful_http_status_code/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/operation_without_successful_http_status_code/results", + "id": "48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/operation_without_successful_http_status_code/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/parameter_objects_headers_dup_name/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/parameter_objects_headers_dup_name/results", + "id": "05505192-ba2c-4a81-9b25-dcdbcc973746", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/parameter_objects_headers_dup_name/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/parameters_name_in_not_unique/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/parameters_name_in_not_unique/results", + "id": "f5b2e6af-76f5-496d-8482-8f898c5fdb4a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/parameters_name_in_not_unique/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_ambiguous/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_ambiguous/results", + "id": "237402e2-c2f0-46c9-9cf5-286160cf7bfc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_ambiguous/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_parameter_not_required/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_parameter_not_required/results", + "id": "0de50145-e845-47f4-9a15-23bcf2125710", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_parameter_not_required/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/results", + "id": "69d7aefd-149d-47b8-8d89-1c2181a8067b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_template_empty/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_template_empty/results", + "id": "ae13a37d-943b-47a7-a970-83c8598bcca3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_template_empty/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_without_operation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_without_operation/results", + "id": "84c826c9-1893-4b34-8cdd-db97645b4bf3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/path_without_operation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/paths_object_empty/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/paths_object_empty/results", + "id": "815021c8-a50c-46d9-b192-24f71072c400", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/paths_object_empty/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/pattern_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/pattern_undefined/results", + "id": "00b78adf-b83f-419c-8ed8-c6018441dd3a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/pattern_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/properties_missing_required_property/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/properties_missing_required_property/results", + "id": "3fb03214-25d4-4bd4-867c-c2d8d708a483", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/properties_missing_required_property/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/results", + "id": "4bcbcd52-3028-469f-bc14-02c7dbba2df2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/results", + "id": "ab2af219-cd08-4233-b5a1-a788aac88b51", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/required_property_default_value/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/required_property_default_value/results", + "id": "013bdb4b-9246-4248-b0c3-7fb0fee42a29", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/required_property_default_value/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/response_code_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/response_code_missing/results", + "id": "6c35d2c6-09f2-4e5c-a094-e0e91327071d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/response_code_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/results", + "id": "12a7210b-f4b4-47d0-acac-0a819e2a0ca3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/response_operations_body_schema_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/response_operations_body_schema_undefined/results", + "id": "a92be1d5-d762-484a-86d6-8cd0907ba100", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/response_operations_body_schema_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/responses_object_is_empty/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/responses_object_is_empty/results", + "id": "990eaf09-d6f1-4c3c-b174-a517b1de8917", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/responses_object_is_empty/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/responses_wrong_http_status_code/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/responses_wrong_http_status_code/results", + "id": "d86655c0-92f6-4ffc-b4d5-5b5775804c27", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/responses_wrong_http_status_code/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/results", + "id": "40d3df21-c170-4dbe-9c02-4289b51f994f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_discriminator_not_required/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_discriminator_not_required/results", + "id": "b481d46c-9c61-480f-86d9-af07146dc4a4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_discriminator_not_required/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_discriminator_property_not_string/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_discriminator_property_not_string/results", + "id": "dadc2f36-1f5a-46c0-8289-75e626583123", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_discriminator_property_not_string/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_enum_invalid/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_enum_invalid/results", + "id": "03856cb2-e46c-4daf-bfbf-214ec93c882b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_enum_invalid/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_object_empty/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_object_empty/results", + "id": "500ce696-d501-41dd-86eb-eceb011a386f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_object_empty/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/results", + "id": "10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_object_with_circular_ref/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_object_with_circular_ref/results", + "id": "1a1aea94-745b-40a7-b860-0702ea6ee636", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_object_with_circular_ref/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_required_property_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_required_property_undefined/results", + "id": "2bd608ae-8a1f-457f-b710-c237883cb313", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/schema_required_property_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_empty_array/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_empty_array/results", + "id": "d674aea4-ba8b-454b-bb97-88a772ea33f0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_empty_array/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_empty_object_definition/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_empty_object_definition/results", + "id": "543e38f4-1eee-479e-8eb0-15257013aa0a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_empty_object_definition/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_operations_empty_array/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_operations_empty_array/results", + "id": "663c442d-f918-4f62-b096-0bf5dcbeb655", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_operations_empty_array/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_operations_empty_object_definition/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_operations_empty_object_definition/results", + "id": "baade968-7467-41e4-bf22-83ca222f5800", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/security_operations_empty_object_definition/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/string_schema_with_broad_pattern/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/string_schema_with_broad_pattern/results", + "id": "8c81d6c0-716b-49ec-afa5-2d62da4e3f3c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/string_schema_with_broad_pattern/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/results", + "id": "3b497874-ae59-46dd-8d72-1868a3b8f150", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_get_operation/results", + "id": "b2f275be-7d64-4064-b418-be6b431363a7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_get_operation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_head_operation/results", + "id": "3b066059-f411-4554-ac8d-96f32bff90da", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_head_operation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/results", + "id": "1908a8ee-927d-4166-8f18-241152170cc1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_post_operation/results", + "id": "f368dd2d-9344-4146-a05b-7c6faa1269ad", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_post_operation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_put_operation/results", + "id": "60b5f56b-66ff-4e1c-9b62-5753e16825bc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/success_response_code_undefined_put_operation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/results", + "id": "561710b1-b845-4562-95ce-2397a05ccef4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/type_has_invalid_keyword/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/type_has_invalid_keyword/results", + "id": "a9228976-10cf-4b5f-b902-9e962aad037a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/openAPI/general/type_has_invalid_keyword/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/results", + "id": "bccb296f-362c-4b05-9221-86d1437a1016", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/results", + "id": "bf4b48b9-fc1f-4552-984a-4becdb5bf503", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/results", + "id": "f27791a5-e2ae-4905-8910-6f995c576d09", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/docdb_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/docdb_logging_disabled/results", + "id": "2ca87964-fe7e-4cdc-899c-427f0f3525f8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/docdb_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/results", + "id": "b6a7e0ae-aed8-4a19-a993-a95760bf8836", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/results", + "id": "327b0729-4c5c-4c44-8b5c-e476cd9c7290", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/results", + "id": "daa581ef-731c-4121-832d-cf078f67759d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/ec2_not_ebs_optimized/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/ec2_not_ebs_optimized/results", + "id": "d991e4ae-42ab-429b-ab43-d5e5fa9ca633", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/ec2_not_ebs_optimized/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/results", + "id": "abcefee4-a0c1-4245-9f82-a473f79a9e2f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/results", + "id": "9b18fc19-7fb8-49b1-8452-9c757c70f926", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/results", + "id": "e93bbe63-a631-4c0f-b6ef-700d48441ff2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticsearch_logs_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticsearch_logs_disabled/results", + "id": "a1120ee4-a712-42d9-8fb5-22595fed643b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticsearch_logs_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/results", + "id": "00603add-7f72-448f-a6c0-9e456a7a3f94", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/iam_password_without_minimum_length/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/iam_password_without_minimum_length/results", + "id": "9850d621-7485-44f7-8bdd-b3cf426315cf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/iam_password_without_minimum_length/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/results", + "id": "647de8aa-5a42-41b5-9faf-22136f117380", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/results", + "id": "49e30ac8-f58e-4222-b488-3dcb90158ec1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/azure/storage_account_not_forcing_https/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/azure/storage_account_not_forcing_https/results", + "id": "cb8e4bf0-903d-45c6-a278-9a947d82a27b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/azure/storage_account_not_forcing_https/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/results", + "id": "48f7e44d-d1d1-44c2-b336-9f11b65c4fb0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/results", + "id": "965e8830-2bec-4b9b-a7f0-24dbc200a68f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/kubernetes/missing_app_armor_config/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/kubernetes/missing_app_armor_config/results", + "id": "95588189-1abd-4df1-9588-b0a5034f9e87", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/kubernetes/missing_app_armor_config/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/kubernetes/psp_set_to_privileged/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/kubernetes/psp_set_to_privileged/results", + "id": "ee305555-6b1d-4055-94cf-e22131143c34", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/pulumi/kubernetes/psp_set_to_privileged/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/results", + "id": "a4d32883-aac7-42e1-b403-9415af0f3846", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/results", + "id": "4d424558-c6d1-453c-be98-9a7f877abd9a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_without_content_encoding/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_without_content_encoding/results", + "id": "d5d1fe08-89db-440c-8725-b93223387309", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_without_content_encoding/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/results", + "id": "434945e5-4dfd-41b1-aba1-47075ccd9265", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/results", + "id": "4495bc5d-4d1e-4a26-ae92-152d18195648", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/results", + "id": "dec7bc85-d156-4f64-9a33-96ed3d9f3fed", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_tags/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_tags/results", + "id": "f99d3482-fa8c-4f79-bad9-35212dded164", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_tags/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/results", + "id": "165aae3b-a56a-48f3-b76d-d2b5083f5b8f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/results", + "id": "0d7ef70f-e176-44e6-bdba-add3e429788d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_role_with_full_privileges/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_role_with_full_privileges/results", + "id": "59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/serverlessFW/serverless_role_with_full_privileges/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/results", + "id": "c065b98e-1515-4991-9dca-b602bd6a2fbb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/results", + "id": "69b5d7da-a5db-4db9-a42e-90b65d0efb0b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/alb_listening_on_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/alb_listening_on_http/results", + "id": "ee3b1557-9fb5-4685-a95d-93f1edf2a0d7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/alb_listening_on_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/results", + "id": "1bcdf9f0-b1aa-40a4-b8c6-cd7785836843", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/cmk_is_unusable/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/cmk_is_unusable/results", + "id": "ed6e3ba0-278f-47b6-a1f5-173576b40b7e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/cmk_is_unusable/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/results", + "id": "81ce9394-013d-4731-8fcc-9d229b474073", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/disk_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/disk_encryption_disabled/results", + "id": "39750e32-3fe9-453b-8c33-dd277acdb2cc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/disk_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/results", + "id": "f262118c-1ac6-4bb3-8495-cc48f1775b85", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/high_kms_key_rotation_period/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/high_kms_key_rotation_period/results", + "id": "cb319d87-b90f-485e-a7e7-f2408380f309", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/high_kms_key_rotation_period/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/results", + "id": "b9b7ada8-3868-4a35-854e-6100a2bb863d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/results", + "id": "1455cb21-1d48-46d6-8ae3-cef911b71fd5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/results", + "id": "ed6cf6ff-9a1f-491c-9f88-e03c0807f390", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/results", + "id": "67bfdff1-31ce-4525-b564-e94368735360", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/nas_file_system_without_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/nas_file_system_without_kms/results", + "id": "5f670f9d-b1b4-4c90-8618-2288f1ab9676", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/nas_file_system_without_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/no_ros_stack_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/no_ros_stack_policy/results", + "id": "72ceb736-0aee-43ea-a191-3a69ab135681", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/no_ros_stack_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/results", + "id": "ec62a32c-a297-41ca-a850-cab40b42094a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/results", + "id": "8c0695d8-2378-4cd6-8243-7fd5894fa574", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/results", + "id": "88541597-6f88-42c8-bac6-7e0b855e8ff6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/results", + "id": "fe286195-e75c-4359-bd58-00847c4f855a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/results", + "id": "f20e97f9-4919-43f1-9be9-f203cd339cdd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_has_static_website/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_has_static_website/results", + "id": "2b13c6ff-b87a-484d-86fd-21ef6e97d426", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_has_static_website/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/results", + "id": "6107c530-7178-464a-88bc-df9cdd364ac8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/results", + "id": "7db8bd7e-9772-478c-9ec5-4bc202c5686f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/results", + "id": "05db341e-de7d-4972-a106-3e2bd5ee53e1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/results", + "id": "62232513-b16f-4010-83d7-51d0e1d45426", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/results", + "id": "8f98334a-99aa-4d85-b72a-1399ca010413", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/results", + "id": "70919c0b-2548-4e6b-8d7a-3d84ab6dabba", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/results", + "id": "c01d10de-c468-4790-b3a0-fc887a56f289", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/results", + "id": "60587dbd-6b67-432e-90f7-a8cf1892d968", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/results", + "id": "2ae9d554-23fb-4065-bfd1-fe43d5f7c419", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/results", + "id": "dd706080-b7a8-47dc-81fb-3e8184430ec0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/results", + "id": "e76fd7ab-7333-40c6-a2d8-ea28af4a319e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/results", + "id": "2bb13841-7575-439e-8e0a-cccd9ede2fa8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/results", + "id": "a9dfec39-a740-4105-bbd6-721ba163c053", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/results", + "id": "063234c0-91c0-4ab5-bbd0-47ddb5f23786", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/results", + "id": "41a38329-d81b-4be4-aef4-55b2615d3282", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/results", + "id": "a8128dd2-89b0-464b-98e9-5d629041dfe0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/results", + "id": "89143358-cec6-49f5-9392-920c591c669c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/results", + "id": "5e0fb613-ba9b-44c3-88f0-b44188466bfd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/results", + "id": "e8e62026-da63-4904-b402-65adfe3ca975", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_policy_attached_to_user/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_policy_attached_to_user/results", + "id": "66505003-7aba-45a1-8d83-5162d5706ef5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_policy_attached_to_user/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/results", + "id": "dcda2d32-e482-43ee-a926-75eaabeaa4e0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/results", + "id": "faaefc15-51a5-419e-bb5e-51a4b5ab3485", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_events_not_logged/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_events_not_logged/results", + "id": "b9c524a4-fe76-4021-a6a2-cb978fb4fde1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_events_not_logged/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/results", + "id": "140869ea-25f2-40d4-a595-0c0da135114e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/results", + "id": "d53f4123-f8d8-4224-8cb3-f920b151cc98", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/results", + "id": "a597e05a-c065-44e7-9cc8-742f572a504a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/results", + "id": "1b4565c0-4877-49ac-ab03-adebbccd42ae", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/results", + "id": "dc158941-28ce-481d-a7fa-dc80761edf46", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/results", + "id": "7a1ee8a9-71be-4b11-bb70-efb62d16863b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/results", + "id": "44d434ca-a9bf-4203-8828-4c81a8d5a598", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/results", + "id": "9ef08939-ea40-489c-8851-667870b2ef50", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ros_stack_retention_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ros_stack_retention_disabled/results", + "id": "4bb06fa1-2114-4a00-b7b5-6aeab8b896f0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ros_stack_retention_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ros_stack_without_template/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ros_stack_without_template/results", + "id": "92d65c51-5d82-4507-a2a1-d252e9706855", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/ros_stack_without_template/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/results", + "id": "dbfc834a-56e5-4750-b5da-73fda8e73f70", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/results", + "id": "d2731f3d-a992-44ed-812e-f4f1c2747d71", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_deletion_protection_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_deletion_protection_disabled/results", + "id": "afecd1f1-6378-4f7e-bb3b-60c35801fdd4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_deletion_protection_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/results", + "id": "0afa6ab8-a047-48cf-be07-93a2f8c34cf7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_listening_on_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_listening_on_http/results", + "id": "de7f5e83-da88-4046-871f-ea18504b1d43", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_listening_on_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/results", + "id": "6e3fd2ed-5c83-4c68-9679-7700d224d379", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/results", + "id": "030d3b18-1821-45b4-9e08-50efbe7becbb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/results", + "id": "3db3f534-e3a3-487f-88c7-0a9fbf64b702", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ami_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ami_not_encrypted/results", + "id": "8bbb242f-6e38-4127-86d4-d8f0b2687ae2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ami_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/results", + "id": "ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_access_logging_disabled/results", + "id": "1b6799eb-4a7a-4b04-9001-8cceb9999326", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_access_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/results", + "id": "625abc0e-f980-4ac9-a775-f7519ee34296", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/results", + "id": "b3a59b8e-94a3-403e-b6e2-527abaf12034", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/results", + "id": "6b2739db-9c49-4db7-b980-7816e0c248c1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/results", + "id": "671211c5-5d2a-4e97-8867-30fc28b02216", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/results", + "id": "b7c9a40c-23e4-4a2d-8d39-a3352f10f288", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/results", + "id": "c999cf62-0920-40f8-8dda-0caccd66ed7e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/results", + "id": "982aa526-6970-4c59-8b9b-2ce7e019fe36", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_with_invalid_compression/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_with_invalid_compression/results", + "id": "ed35928e-195c-4405-a252-98ccb664ab7b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_with_invalid_compression/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_with_open_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_with_open_access/results", + "id": "15ccec05-5476-4890-ad19-53991eba1db8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_with_open_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/results", + "id": "0a96ce49-4163-4ee6-8169-eb3b0797d694", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_security_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_security_policy/results", + "id": "4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_security_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/results", + "id": "0b4869fc-a842-4597-aa00-1294df425440", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_waf/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_waf/results", + "id": "a186e82c-1078-4a7b-85d8-579561fde884", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_without_waf/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_xray_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_xray_disabled/results", + "id": "5813ef56-fa94-406a-b35d-977d4a56ff2b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/api_gateway_xray_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/athena_database_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/athena_database_not_encrypted/results", + "id": "b2315cae-b110-4426-81e0-80bb8640cdd3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/athena_database_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/athena_workgroup_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/athena_workgroup_not_encrypted/results", + "id": "d364984a-a222-4b5f-a8b0-e23ab19ebff3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/athena_workgroup_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/results", + "id": "1a690d1d-0ae7-49fa-b2db-b75ae0dd1d3e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/authentication_without_mfa/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/authentication_without_mfa/results", + "id": "3ddfa124-6407-4845-a501-179f90c65097", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/authentication_without_mfa/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/results", + "id": "8e94dced-9bcc-4203-8eb7-7e41202b2505", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/results", + "id": "3b6d777b-76e3-4133-80a3-0d6f667ade7f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/autoscaling_groups_supply_tags/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/autoscaling_groups_supply_tags/results", + "id": "ba48df05-eaa1-4d64-905e-4a4b051e7587", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/autoscaling_groups_supply_tags/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/results", + "id": "cd1d93f2-8ed2-4eb5-b536-776619f1869b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/results", + "id": "9ef7d25d-9764-4224-9968-fa321c56ef76", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/results", + "id": "66cd88ac-9ddf-424a-b77e-e55e17630bee", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/block_device_is_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/block_device_is_not_encrypted/results", + "id": "1f624961-9a18-4387-91c8-3856e1974b6f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/block_device_is_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/results", + "id": "9f40c07e-699e-4410-8856-3ba0f2e3a2dd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cdn_configuration_is_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cdn_configuration_is_missing/results", + "id": "1bc367f6-901d-4870-ad0c-71d79762ef52", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cdn_configuration_is_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/certificate_has_expired/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/certificate_has_expired/results", + "id": "c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/certificate_has_expired/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/results", + "id": "874d68a3-bfbe-4a4b-aaa0-9e74d7da634b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_logging_disabled/results", + "id": "94690d79-b3b0-43de-b656-84ebef5753e5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/results", + "id": "55af1353-2f62-4fa0-a8e1-a210ca2708f5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/results", + "id": "00e5e55e-c2ff-46b3-a757-a7a1cd802456", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_without_waf/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_without_waf/results", + "id": "1419b4c6-6d5c-4534-9cf6-6a5266085333", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudfront_without_waf/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/results", + "id": "52ffcfa6-6c70-4ea6-8376-d828d3961669", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/results", + "id": "5d9e3164-9265-470c-9a10-57ae454ac0c7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/results", + "id": "bd0088a5-c133-4b20-b129-ec9968b16ef3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/results", + "id": "ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_logging_disabled/results", + "id": "4bb76f17-3d63-4529-bdca-2b454529d774", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/results", + "id": "8173d5eb-96b5-4aa6-a71b-ecfa153c123d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/results", + "id": "17b30f8f-8dfb-4597-adf6-57600b6cf25e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/results", + "id": "482b7d26-0bdb-4b5f-bf6f-545826c0a3dd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/results", + "id": "5b8d7527-de8e-4114-b9dd-9d988f1f418f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/results", + "id": "38b85c45-e772-4de8-a247-69619ca137b3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/results", + "id": "0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/results", + "id": "0f6cbf69-41bb-47dc-93f3-3844640bf480", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/results", + "id": "56a585f5-555c-48b2-8395-e64e4740a9cf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/results", + "id": "eaaba502-2f94-411a-a3c2-83d63cc1776d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/results", + "id": "0afbcfe9-d341-4b92-a64c-7e6de0543879", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_logging_disabled/results", + "id": "7dbba512-e244-42dc-98bb-422339827967", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/results", + "id": "db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/results", + "id": "5864d189-ee9a-4009-ac0c-8a582e6b7919", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/results", + "id": "44ceb4fa-0897-4fd2-b676-30e7a58f2933", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_metrics_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_metrics_disabled/results", + "id": "081069cb-588b-4ce1-884c-2a1ce3029fe5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_metrics_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/results", + "id": "6b6874fe-4c2f-4eea-8b90-7cceaa4a125e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/results", + "id": "8b1b1e67-6248-4dca-bbad-93486bb181c0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/results", + "id": "2285e608-ddbc-47f3-ba54-ce7121e31216", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/results", + "id": "27c6a499-895a-4dc7-9617-5c485218db13", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/results", + "id": "4beaf898-9f8b-4237-89e2-5ffdc7ee6006", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/results", + "id": "4c18a45b-4ab1-4790-9f83-399ac695f1e5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/results", + "id": "9d0d4512-1959-43a2-a17f-72360ff06d1b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/results", + "id": "ef0b316a-211e-42f1-888e-64efe172b755", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cmk_is_unusable/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cmk_is_unusable/results", + "id": "7350fa23-dcf7-4938-916d-6a60b0c73b50", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cmk_is_unusable/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cmk_rotation_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cmk_rotation_disabled/results", + "id": "22fbfeac-7b5a-421a-8a27-7a2178bb910b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cmk_rotation_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/results", + "id": "3deec14b-03d2-4d27-9670-7d79322e3340", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cognito_userpool_without_mfa/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cognito_userpool_without_mfa/results", + "id": "ec28bf61-a474-4dbe-b414-6dd3a067d6f0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cognito_userpool_without_mfa/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/results", + "id": "ac5a0bc0-a54c-45aa-90c3-15f7703b9132", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/results", + "id": "abdb29d4-5ca1-4e91-800b-b3569bbd788c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/results", + "id": "09c35abf-5852-4622-ac7a-b987b331232e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dax_cluster_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dax_cluster_not_encrypted/results", + "id": "f11aec39-858f-4b6f-b946-0a1bf46c0c87", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dax_cluster_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_instance_storage_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_instance_storage_not_encrypted/results", + "id": "08bd0760-8752-44e1-9779-7bb369b2b4e4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_instance_storage_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_security_group_has_public_interface/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_security_group_has_public_interface/results", + "id": "f0d8781f-99bf-4958-9917-d39283b168a0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_security_group_has_public_interface/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_security_group_open_to_large_scope/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_security_group_open_to_large_scope/results", + "id": "4f615f3e-fb9c-4fad-8b70-2e9f781806ce", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_security_group_open_to_large_scope/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_security_group_with_public_scope/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_security_group_with_public_scope/results", + "id": "1e0ef61b-ad85-4518-a3d3-85eaad164885", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/db_security_group_with_public_scope/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/results", + "id": "46883ce1-dc3e-4b17-9195-c6a601624c73", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/default_vpc_exists/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/default_vpc_exists/results", + "id": "96ed3526-0179-4c73-b1b2-372fde2e0d13", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/default_vpc_exists/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/results", + "id": "2134641d-30a4-4b16-8ffc-2cd4c4ffd15d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_cluster_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_cluster_not_encrypted/results", + "id": "bc1f9009-84a0-490f-ae09-3e0ea6d74ad6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_cluster_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_cluster_without_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_cluster_without_kms/results", + "id": "4766d3ea-241c-4ee6-93ff-c380c996bd1a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_cluster_without_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_logging_disabled/results", + "id": "56f6a008-1b14-4af4-b9b2-ab7cf7e27641", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/docdb_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dynamodb_table_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dynamodb_table_not_encrypted/results", + "id": "ce089fd4-1406-47bd-8aad-c259772bb294", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dynamodb_table_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/results", + "id": "741f1291-47ac-4a85-a07b-3d32a9d6bd3e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/results", + "id": "0bc534c5-13d1-4353-a7fe-b8665d5c1d7d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ebs_default_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ebs_default_encryption_disabled/results", + "id": "3d3f6270-546b-443c-adb4-bb6fb2187ca6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ebs_default_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ebs_volume_encryption_disabled/results", + "id": "cc997676-481b-4e93-aa81-d19f8c5e9b12", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ebs_volume_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/results", + "id": "e6b4b943-6883-47a9-9739-7ada9568f8ca", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_has_public_ip/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_has_public_ip/results", + "id": "5a2486aa-facf-477d-a5c1-b010789459ce", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_has_public_ip/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/results", + "id": "23b70e32-032e-4fa6-ba5c-82f56b9980e6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_using_api_keys/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_using_api_keys/results", + "id": "0b93729a-d882-4803-bdc3-ac429a21f158", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_using_api_keys/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_using_default_security_group/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_using_default_security_group/results", + "id": "f1adc521-f79a-4d71-b55b-a68294687432", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_using_default_security_group/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_using_default_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_using_default_vpc/results", + "id": "7e4a6e76-568d-43ef-8c4e-36dea481bff1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_instance_using_default_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_not_ebs_optimized/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_not_ebs_optimized/results", + "id": "60224630-175a-472a-9e23-133827040766", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ec2_not_ebs_optimized/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_image_tag_not_immutable/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_image_tag_not_immutable/results", + "id": "d1846b12-20c5-4d45-8798-fc35b79268eb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_image_tag_not_immutable/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/results", + "id": "e86e26fc-489e-44f0-9bcd-97305e4ba69a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_repository_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_repository_not_encrypted/results", + "id": "0e32d561-4b5a-4664-a6e3-a3fa85649157", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_repository_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_repository_without_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_repository_without_policy/results", + "id": "69e7c320-b65d-41bb-be02-d63ecc0bcc9d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecr_repository_without_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/results", + "id": "97cb0688-369a-4d26-b1f7-86c4c91231bc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_service_admin_role_is_present/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_service_admin_role_is_present/results", + "id": "3206240f-2e87-4e58-8d24-3e19e7c83d7c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_service_admin_role_is_present/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_service_without_running_tasks/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_service_without_running_tasks/results", + "id": "91f16d09-689e-4926-aca7-155157f634ed", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_service_without_running_tasks/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/results", + "id": "bafe7989-3c4b-47f0-910b-e6e1cba7f146", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/results", + "id": "9f4a9409-9c60-4671-be96-9716dbf63db1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_not_encrypted/results", + "id": "48207659-729f-4b5c-9402-f884257d794f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/results", + "id": "4d46ff3b-7160-41d1-a310-71d6d370b08f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_with_vulnerable_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_with_vulnerable_policy/results", + "id": "fae52418-bb8b-4ac2-b287-0b9082d6a3fd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_with_vulnerable_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_without_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_without_kms/results", + "id": "25d251f3-f348-4f95-845c-1090e41a615c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/efs_without_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_encryption_disabled/results", + "id": "63ebcb19-2739-4d3f-aa5c-e8bbb9b85281", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_has_public_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_has_public_access/results", + "id": "42f4b905-3736-4213-bfe9-c0660518cda8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_has_public_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/results", + "id": "61cf9883-1752-4768-b18c-0d57f2737709", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_log_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_log_disabled/results", + "id": "37304d3f-f852-40b8-ae3f-725e87a7cedf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_cluster_log_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/results", + "id": "ba40ace1-a047-483c-8a8d-bc2d3a67a82d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/results", + "id": "6db03a91-f933-4f13-ab38-a8b87a7de54d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/results", + "id": "8fdb08a0-a868-4fdf-9c27-ccab0237f1ab", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/results", + "id": "76976de7-c7b1-4f64-a94f-90c1345914c2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/results", + "id": "1afbb3fa-cf6c-4a3d-b730-95e9f4df343e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_using_default_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_using_default_port/results", + "id": "5d89db57-8b51-4b38-bb76-b9bd42bd40f0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_using_default_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_without_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_without_vpc/results", + "id": "8c849af7-a399-46f7-a34c-32d3dc96f1fc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticache_without_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/results", + "id": "967eb3e6-26fc-497d-8895-6428beb6e8e2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/results", + "id": "16c4216a-50d3-4785-bfb2-4adb5144a8ba", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/results", + "id": "7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_logs_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_logs_disabled/results", + "id": "acb6b4e2-a086-4f35-aefd-4db6ea51ada2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_logs_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/results", + "id": "24e16922-4330-4e9d-be8a-caa90299466a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_with_https_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_with_https_disabled/results", + "id": "2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_with_https_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/results", + "id": "e7530c3c-b7cf-4149-8db9-d037a0b5268e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_without_slow_logs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_without_slow_logs/results", + "id": "e979fcbc-df6c-422d-9458-c33d65e71c45", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elasticsearch_without_slow_logs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_access_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_access_logging_disabled/results", + "id": "20018359-6fd7-4d05-ab26-d4dffccbdf79", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_access_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_using_insecure_protocols/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_using_insecure_protocols/results", + "id": "126c1788-23c2-4a10-906c-ef179f4f96ec", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_using_insecure_protocols/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_using_weak_ciphers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_using_weak_ciphers/results", + "id": "4a800e14-c94a-442d-9067-5a2e9f6c0a4c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_using_weak_ciphers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/results", + "id": "3e34db4f-0ad9-4290-bfd0-4a9ee884acaf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/emr_without_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/emr_without_vpc/results", + "id": "2b3c8a6d-9856-43e6-ab1d-d651094f03b4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/emr_without_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/results", + "id": "96e8183b-e985-457b-90cd-61c0503a3369", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/results", + "id": "01d50b14-e933-4c99-b314-6d08cd37ad35", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/results", + "id": "ad5b4e97-2850-4adf-be17-1d293e0b85ee", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/glue_with_vulnerable_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/glue_with_vulnerable_policy/results", + "id": "d25edb51-07fb-4a73-97d4-41cecdc53a22", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/glue_with_vulnerable_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/results", + "id": "8f3c16b3-354d-45db-8ad5-5066778a9485", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/results", + "id": "970ed7a2-0aca-4425-acf1-0453c9ecbca1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/results", + "id": "70b42736-efee-4bce-80d5-50358ed94990", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/results", + "id": "3dd96caa-0b5f-4a85-b929-acfac4646cc2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/results", + "id": "db78d14b-10e5-4e6e-84b1-dace6327b1ec", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/results", + "id": "846646e3-2af1-428c-ac5d-271eccfa6faf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/results", + "id": "04c686f1-e0cd-4812-88e1-4e038410074c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/results", + "id": "ec49cbfd-fae4-45f3-81b1-860526d66e3f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/results", + "id": "9b0ffadc-a61f-4c2a-b1e6-68fab60f6267", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/results", + "id": "15e6ad8c-f420-49a6-bafb-074f5eb1ec74", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/results", + "id": "7d544dad-8a6c-431c-84c1-5f07fe9afc0e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/results", + "id": "034d0aee-620f-4bf7-b7fb-efdf661fdb9e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/results", + "id": "e77c89f6-9c85-49ea-b95b-5f960fe5be92", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/results", + "id": "c0c1e744-0f37-445e-924a-1846f0839f69", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/results", + "id": "60263b4a-6801-4587-911d-919c37ed733b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/results", + "id": "7782d4b3-e23e-432b-9742-d9528432e771", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/results", + "id": "78f1ec6f-5659-41ea-bd48-d0a142dce4f2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/results", + "id": "ad296c0d-8131-4d6b-b030-1b0e73a99ad3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/results", + "id": "571254d8-aa6a-432e-9725-535d3ef04d69", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/guardduty_detector_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/guardduty_detector_disabled/results", + "id": "704dadd3-54fc-48ac-b6a0-02f170011473", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/guardduty_detector_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/hardcoded_aws_access_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/hardcoded_aws_access_key/results", + "id": "d7b9d850-3e06-4a75-852f-c46c2e92240b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/hardcoded_aws_access_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/results", + "id": "1402afd8-a95c-4e84-8b0b-6fb43758e6ce", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/http_port_open/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/http_port_open/results", + "id": "ffac8a12-322e-42c1-b9b9-81ff85c39ef7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/http_port_open/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/results", + "id": "e592a0c5-5bdb-414c-9066-5dba7cdea370", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_access_key_is_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_access_key_is_exposed/results", + "id": "7081f85c-b94d-40fd-8b45-a4f1cac75e46", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_access_key_is_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_database_auth_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_database_auth_not_enabled/results", + "id": "88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_database_auth_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/results", + "id": "228497f6-414f-41c8-9113-f36a2b1b7975", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_group_without_users/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_group_without_users/results", + "id": "fc101ca7-c9dd-4198-a1eb-0fbe92e80044", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_group_without_users/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_password_without_minimum_length/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_password_without_minimum_length/results", + "id": "1bc1c685-e593-450e-88fb-19db4c82aa1d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_password_without_minimum_length/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policies_attached_to_user/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policies_attached_to_user/results", + "id": "b4378389-a9aa-44ee-91e7-ef183f11079e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policies_attached_to_user/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policies_with_full_privileges/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policies_with_full_privileges/results", + "id": "2f37c4a3-58b9-4afe-8a87-d7f1d2286f84", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policies_with_full_privileges/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/results", + "id": "ba2ed23b-52d3-45ca-be25-f6c358d45abd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/results", + "id": "bcdcbdc6-a350-4855-ae7c-d1e6436f7c97", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policy_grants_full_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policy_grants_full_permissions/results", + "id": "575a2155-6af1-4026-b1af-d5bc8fe2a904", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_policy_grants_full_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/results", + "id": "12b7e704-37f0-4d1e-911a-44bf60c48c21", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/results", + "id": "e39bee8c-fe54-4a3f-824d-e5e2d1cca40a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_role_with_full_privileges/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_role_with_full_privileges/results", + "id": "b1ffa705-19a3-4b73-b9d0-0c97d0663842", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_role_with_full_privileges/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_user_policy_without_mfa/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_user_policy_without_mfa/results", + "id": "b5681959-6c09-4f55-b42b-c40fa12d03ec", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_user_policy_without_mfa/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_user_too_many_access_keys/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_user_too_many_access_keys/results", + "id": "3561130e-9c5f-485b-9e16-2764c82763e5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_user_too_many_access_keys/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_user_with_access_to_console/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_user_with_access_to_console/results", + "id": "9ec311bf-dfd9-421f-8498-0b063c8bc552", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/iam_user_with_access_to_console/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/results", + "id": "c306ac53-ee5b-41d3-86a9-0fd2722b4e67", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/instance_with_no_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/instance_with_no_vpc/results", + "id": "a31a5a29-718a-4ff4-8001-a69e5e4d029e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/instance_with_no_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/results", + "id": "862fe4bf-3eec-4767-a517-40f378886b88", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kinesis_sse_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kinesis_sse_not_configured/results", + "id": "5c6dd5e7-1fe0-4cae-8f81-4c122717cef3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kinesis_sse_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kms_key_with_full_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kms_key_with_full_permissions/results", + "id": "7ebc9038-0bde-479a-acc4-6ed7b6758899", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kms_key_with_full_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kms_key_with_no_deletion_window/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kms_key_with_no_deletion_window/results", + "id": "0b530315-0ea4-497f-b34c-4ff86268f59d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/kms_key_with_no_deletion_window/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_function_with_privileged_role/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_function_with_privileged_role/results", + "id": "1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_function_with_privileged_role/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/results", + "id": "720f44cf-285e-4b69-8f72-835e6bc1dceb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/results", + "id": "8152e0cf-d2f0-47ad-96d5-d003a76eabd1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/results", + "id": "0ca1017d-3b80-423e-bb9c-6cd5898d34bd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_permission_misconfigured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_permission_misconfigured/results", + "id": "75ec6890-83af-4bf1-9f16-e83726df0bd0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_permission_misconfigured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/results", + "id": "e08ed7eb-f3ef-494d-9d22-2e3db756a347", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_with_vulnerable_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_with_vulnerable_policy/results", + "id": "ad9dabc7-7839-4bae-a957-aa9120013f39", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/lambda_with_vulnerable_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/misconfigured_password_policy_expiration/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/misconfigured_password_policy_expiration/results", + "id": "ce60d060-efb8-4bfd-9cf7-ff8945d00d90", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/misconfigured_password_policy_expiration/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/missing_cluster_log_types/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/missing_cluster_log_types/results", + "id": "66f130d9-b81d-4e8e-9b08-da74b9c891df", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/missing_cluster_log_types/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/results", + "id": "4eb5f791-c861-4afd-9f94-f2a6a3fe49cb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/mq_broker_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/mq_broker_logging_disabled/results", + "id": "31245f98-a6a9-4182-9fc1-45482b9d030a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/mq_broker_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/results", + "id": "54378d69-dd7c-4b08-a43e-80d563396857", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/msk_cluster_encryption_disabled/results", + "id": "6db52fa6-d4da-4608-908a-89f0c59e743e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/msk_cluster_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/msk_cluster_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/msk_cluster_logging_disabled/results", + "id": "2f56b7ab-7fba-4e93-82f0-247e5ddeb239", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/msk_cluster_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/results", + "id": "9ba198e0-fef4-464a-8a4d-75ea55300de7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/results", + "id": "c91d7ea0-d4d1-403b-8fe1-c9961ac082c5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/results", + "id": "98d59056-f745-4ef5-8613-32bca8d40b7e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_logging_disabled/results", + "id": "45cff7b6-3b80-40c1-ba7b-2cf480678bb8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/neptune_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/results", + "id": "a20be318-cac7-457b-911d-04cc6e812c25", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/results", + "id": "3af7f2fd-06e6-4dab-b996-2912bea19ba4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/no_password_policy_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/no_password_policy_enabled/results", + "id": "b592ffd4-0577-44b6-bd35-8c5ee81b5918", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/no_password_policy_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/no_stack_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/no_stack_policy/results", + "id": "2f01fb2d-828a-499d-b98e-b83747305052", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/no_stack_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/password_without_reuse_prevention/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/password_without_reuse_prevention/results", + "id": "89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/password_without_reuse_prevention/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/policy_without_principal/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/policy_without_principal/results", + "id": "bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/policy_without_principal/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/postgres_rds_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/postgres_rds_logging_disabled/results", + "id": "820882c4-0c07-4686-b1ca-c69241c57470", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/postgres_rds_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/public_and_private_ec2_share_role/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/public_and_private_ec2_share_role/results", + "id": "c53c7a89-f9d7-4c7b-8b66-8a555be99593", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/public_and_private_ec2_share_role/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/public_lambda_via_api_gateway/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/public_lambda_via_api_gateway/results", + "id": "3ef8696c-e4ae-4872-92c7-520bb44dfe77", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/public_lambda_via_api_gateway/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_associated_with_public_subnet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_associated_with_public_subnet/results", + "id": "2f737336-b18a-4602-8ea0-b200312e1ac1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_associated_with_public_subnet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/results", + "id": "e542bd46-58c4-4e0f-a52a-1fb4f9548e02", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/results", + "id": "656880aa-1388-488f-a6d4-8f73c23149b2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/results", + "id": "35113e6f-2c6b-414d-beec-7a9482d3b2d1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_storage_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_storage_not_encrypted/results", + "id": "3199c26c-7871-4cb3-99c2-10a59244ce7f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_storage_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_using_default_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_using_default_port/results", + "id": "bca7cc4d-b3a4-4345-9461-eb69c68fcd26", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_using_default_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_with_backup_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_with_backup_disabled/results", + "id": "1dc73fb4-5b51-430c-8c5f-25dcf9090b02", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_with_backup_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_without_logging/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_without_logging/results", + "id": "8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rds_without_logging/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redis_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redis_disabled/results", + "id": "4bd15dd9-8d5e-4008-8532-27eb0c3706d3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redis_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redis_not_compliant/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redis_not_compliant/results", + "id": "254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redis_not_compliant/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_cluster_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_cluster_logging_disabled/results", + "id": "15ffbacc-fa42-4f6f-a57d-2feac7365caa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_cluster_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_cluster_without_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_cluster_without_vpc/results", + "id": "0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_cluster_without_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_not_encrypted/results", + "id": "cfdcabb0-fc06-427c-865b-c59f13e898ce", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_publicly_accessible/results", + "id": "af173fde-95ea-4584-b904-bb3923ac4bda", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_using_default_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_using_default_port/results", + "id": "41abc6cc-dde1-4217-83d3-fb5f0cc09d8f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/redshift_using_default_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/results", + "id": "151187cb-0efc-481c-babd-ad24e3c9bc22", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/resource_not_using_tags/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/resource_not_using_tags/results", + "id": "e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/resource_not_using_tags/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/results", + "id": "b161c11b-a59b-4431-9a29-4e19f63e6b27", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/results", + "id": "eda48c88-2b7d-4e34-b6ca-04c0194aee17", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/results", + "id": "b8a31292-509d-4b61-bc40-13b167db7e9c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/results", + "id": "f906113d-cdc0-415a-ba60-609cc6daaf4d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/results", + "id": "f465fff1-0a0f-457d-aa4d-1bddb6f204ff", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/results", + "id": "7c96920c-6fd0-449d-9a52-0aa431b6beaf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/results", + "id": "5b4d4aee-ac94-4810-9611-833636e5916d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/results", + "id": "9a205ba3-0dd1-42eb-8d54-2ffec836b51a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/results", + "id": "ee49557d-750c-4cc1-aa95-94ab36cbefde", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/results", + "id": "be2aa235-bd93-4b68-978a-1cc65d49082f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/results", + "id": "30b88745-eebe-4ecb-a3a9-5cf886e96204", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/results", + "id": "0a592060-8166-49f5-8e65-99ac6dce9871", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/results", + "id": "fa62ac4f-f5b9-45b9-97c1-625c8b6253ca", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/results", + "id": "d6047119-a0b2-4b59-a4f2-127a36fb685b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/results", + "id": "eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/results", + "id": "8f75840d-9ee7-42f3-b203-b40e3979eb12", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/results", + "id": "118281d0-6471-422e-a7c5-051bc667926e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/results", + "id": "f1173d8c-3264-4148-9fdb-61181e031b51", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/results", + "id": "35ccf766-0e4d-41ed-9ec4-2dab155082b4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/results", + "id": "c583f0f9-7dfd-476b-a056-f47c62b47b46", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/root_account_has_active_access_keys/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/root_account_has_active_access_keys/results", + "id": "970d224d-b42a-416b-81f9-8f4dfe70c4bc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/root_account_has_active_access_keys/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/route53_record_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/route53_record_undefined/results", + "id": "25db74bf-fa3b-44da-934e-8c3e005c0453", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/route53_record_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/results", + "id": "7af43613-6bb9-4a0e-8c4d-1314b799425e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/results", + "id": "38c5ee0d-7f22-4260-ab72-5073048df100", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/results", + "id": "57b9893d-33b1-4419-bcea-a717ea87e139", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/results", + "id": "64a222aa-7793-4e40-915f-4b302c76e4d4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/results", + "id": "ffdf4b37-7703-4dfe-a682-9d2e99bc6c09", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/results", + "id": "1df37f4b-7197-45ce-83f8-9994d2fcf885", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/results", + "id": "66c6f96f-2d9e-417e-a998-9058aeeecd44", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_public_acl/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_public_acl/results", + "id": "d0cc8694-fcad-43ff-ac86-32331d7e867f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_public_acl/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/results", + "id": "d24c0755-c028-44b1-b503-8e719c898832", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_logging_disabled/results", + "id": "f861041c-8c9f-4156-acfc-5e6e524f5884", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_notifications_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_notifications_disabled/results", + "id": "e39f87f5-0abf-488b-864c-63ee1f588140", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_notifications_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/results", + "id": "a8fc2180-b3ac-4c93-bd0d-a55b974e4b07", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/results", + "id": "5fb49a69-8d46-4495-a2f8-9c8c622b2b6e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/results", + "id": "4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/results", + "id": "bf878b1a-7418-4de3-b13c-3a86cf894920", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_with_all_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_with_all_permissions/results", + "id": "a4966c4f-9141-48b8-a564-ffe9959945bc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_with_all_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_with_public_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_with_public_policy/results", + "id": "1a4bc881-9f69-4d44-8c9a-d37d08f54c50", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_with_public_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/results", + "id": "98a8f708-121b-455b-ae2f-da3fb59d17e1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/results", + "id": "c5b31ab9-0f26-4a49-b8aa-4cc064392f4d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/results", + "id": "4fa66806-0dd9-4f8d-9480-3174d39c7c91", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/results", + "id": "1ec253ab-c220-4d63-b2de-5b40e0af9293", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_versioning/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_versioning/results", + "id": "568a4d22-3517-44a6-a7ad-6a7eed88722c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_bucket_without_versioning/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_static_website_host_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_static_website_host_enabled/results", + "id": "42bb6b7f-6d54-4428-b707-666f669d94fb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/s3_static_website_host_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/results", + "id": "58b35504-0287-4154-bf69-02c0573deab8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/results", + "id": "f3674e0c-f6be-43fa-b71c-bf346d1aed99", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/results", + "id": "fa00ce45-386d-4718-8392-fb485e1f3c5b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/results", + "id": "b0d3ef3f-845d-4b1b-83d6-63a5a380375f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secretsmanager_secret_without_kms/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secretsmanager_secret_without_kms/results", + "id": "a2f548f2-188c-4fff-b172-e9a6acb216bd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secretsmanager_secret_without_kms/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secure_ciphers_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secure_ciphers_disabled/results", + "id": "5c0003fb-9aa0-42c1-9da3-eb0e332bef21", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/secure_ciphers_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_group_rules_without_description/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_group_rules_without_description/results", + "id": "68eb4bf3-f9bf-463d-b5cf-e029bb446d2e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_group_rules_without_description/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/results", + "id": "65905cec-d691-4320-b320-2000436cb696", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_group_without_description/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_group_without_description/results", + "id": "cb3f5ed6-0d18-40de-a93d-b3538db31e8c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_group_without_description/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_groups_not_used/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_groups_not_used/results", + "id": "4849211b-ac39-479e-ae78-5694d506cb24", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/security_groups_not_used/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/results", + "id": "381c3f2a-ef6f-4eff-99f7-b169cda3422c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/results", + "id": "e35c16a2-d54e-419d-8546-a804d8e024d0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/results", + "id": "92fe237e-074c-4262-81a4-2077acb928c1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/service_control_policies_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/service_control_policies_disabled/results", + "id": "5ba6229c-8057-433e-91d0-21cf13569ca9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/service_control_policies_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/results", + "id": "34b921bd-90a0-402e-a0a5-dc73371fd963", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/shield_advanced_not_in_use/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/shield_advanced_not_in_use/results", + "id": "084c6686-2a70-4710-91b1-000393e54c12", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/shield_advanced_not_in_use/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/results", + "id": "b1a72f66-2236-4f3b-87ba-0da1b366956f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/results", + "id": "b26d2b7e-60f6-413d-a3a1-a57db24aa2b3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_not_encrypted/results", + "id": "28545147-2fc6-42d5-a1f9-cf226658e591", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/results", + "id": "5ea624e4-c8b1-4bb3-87a4-4235a776adcc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/results", + "id": "54c417bf-c762-48b9-9d31-b3d87047e3f0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_policy_allows_all_actions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_policy_allows_all_actions/results", + "id": "816ea8cf-d589-442d-a917-2dd0ce0e45e3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_policy_allows_all_actions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_policy_with_public_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_policy_with_public_access/results", + "id": "730675f9-52ed-49b6-8ead-0acb5dd7df7f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_policy_with_public_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_queue_exposed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_queue_exposed/results", + "id": "abb06e5f-ef9a-4a99-98c6-376d396bfcdf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_queue_exposed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/results", + "id": "e9b7acf9-9ba0-4837-a744-31e7df1e434d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_with_sse_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_with_sse_disabled/results", + "id": "6e8849c1-3aa7-40e3-9063-b85ee300f29f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sqs_with_sse_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/results", + "id": "ce60cc6b-6831-4bd7-84a2-cc7f8ee71433", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/results", + "id": "ce9dfce0-5fc8-433b-944a-3b16153111a8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sso_policy_with_full_priveleges/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sso_policy_with_full_priveleges/results", + "id": "132a8c31-9837-4203-9fd1-15ca210c7b73", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sso_policy_with_full_priveleges/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sso_policy_with_full_priveleges_copy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sso_policy_with_full_priveleges_copy/results", + "id": "4003118b-046b-4640-b200-b8c7a4c8b89f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/sso_policy_with_full_priveleges_copy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/stack_notifications_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/stack_notifications_disabled/results", + "id": "b72d0026-f649-4c91-a9ea-15d8f681ac09", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/stack_notifications_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/stack_retention_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/stack_retention_disabled/results", + "id": "6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/stack_retention_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/stack_without_template/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/stack_without_template/results", + "id": "91bea7b8-0c31-4863-adc9-93f6177266c4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/stack_without_template/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/results", + "id": "6d3dead4-c6b2-4db7-81bd-3a83eae8f255", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/unknown_port_exposed_to_internet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/unknown_port_exposed_to_internet/results", + "id": "590d878b-abdc-428f-895a-e2b68a0e1998", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/unknown_port_exposed_to_internet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/unrestricted_security_group_ingress/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/unrestricted_security_group_ingress/results", + "id": "4728cd65-a20c-49da-8b31-9c08b423e4db", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/unrestricted_security_group_ingress/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/unscanned_ecr_image/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/unscanned_ecr_image/results", + "id": "9630336b-3fed-4096-8173-b9afdfe346a7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/unscanned_ecr_image/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_data_contains_encoded_private_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_data_contains_encoded_private_key/results", + "id": "443488f5-c734-460b-a36d-5b3f330174dc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_data_contains_encoded_private_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/results", + "id": "9b877bd8-94b4-4c10-a060-8e0436cc09fa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/results", + "id": "bf9d42c7-c2f9-4dfe-942c-c8cc8249a081", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/results", + "id": "6d23d87e-1c5b-4308-b224-92624300f29b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/results", + "id": "e227091e-2228-4b40-b046-fc13650d8e88", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/results", + "id": "70cb518c-d990-46f6-bc05-44a5041493d6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/results", + "id": "113208f2-a886-4526-9ecc-f3218600e12c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/results", + "id": "0fd7d920-4711-46bd-aff2-d307d82cd8b7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/results", + "id": "1743f5f1-0bb0-4934-acef-c80baa5dadfa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/results", + "id": "19ffbe31-9d72-4379-9768-431195eae328", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/results", + "id": "89561b03-cb35-44a9-a7e9-8356e71606f4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/results", + "id": "94fbe150-27e3-4eba-9ca6-af32865e4503", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/results", + "id": "8055dec2-efb8-4fe6-8837-d9bed6ff202a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/results", + "id": "8bfbf7ab-d5e8-4100-8618-798956e101e0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/results", + "id": "eeb4d37a-3c59-4789-a00c-1509bc3af1e5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/results", + "id": "0c10d7da-85c4-4d62-b2a8-d6c104f1bd77", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/results", + "id": "43a41523-386a-4cb1-becb-42af6b414433", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/results", + "id": "33627268-1445-4385-988a-318fd9d1a512", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/results", + "id": "6deb34e2-5d9c-499a-801b-ea6d9eda894f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/results", + "id": "b69247e5-7e73-464e-ba74-ec9b715c6e12", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/results", + "id": "9a4ef195-74b9-4c58-b8ed-2b2fe4353a75", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_flowlogs_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_flowlogs_disabled/results", + "id": "f83121ea-03da-434f-9277-9cd247ab3047", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_flowlogs_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/results", + "id": "b3a41501-f712-4c4f-81e5-db9a7dc0e34e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/results", + "id": "52f04a44-6bfa-4c41-b1d3-4ae99a2de05c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_without_network_firewall/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_without_network_firewall/results", + "id": "fd632aaf-b8a1-424d-a4d1-0de22fd3247a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vpc_without_network_firewall/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/results", + "id": "3a1e94df-6847-4c0e-a3b6-6c6af4e128ef", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/results", + "id": "b9033580-6886-401a-8631-5f19f5bb24c7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/dynamo/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/dynamo/results", + "id": "23edf35f-7c22-4ff9-87e6-0ca74261cfbf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/dynamo/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/ebs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/ebs/results", + "id": "86571149-eef3-4280-a645-01e60df854b0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/ebs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/efs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/efs/results", + "id": "f53f16d6-46a9-4277-9fbe-617b1e24cdca", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/efs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/elasticache/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/elasticache/results", + "id": "54229498-850b-4f78-b3a7-218d24ef2c37", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/elasticache/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/kinesis/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/kinesis/results", + "id": "0e59d33e-bba2-4037-8f88-9765647ca7ad", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/kinesis/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/mq/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/mq/results", + "id": "fcb1b388-f558-4b7f-9b6e-f4e98abb7380", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/mq/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/msk/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/msk/results", + "id": "051f2063-2517-4295-ad8e-ba88c1bf5cfc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/msk/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/rds/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/rds/results", + "id": "12933609-c5bf-44b4-9a41-a6467c3b685b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/rds/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/s3_bucket/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/s3_bucket/results", + "id": "2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/s3_bucket/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/sns/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/sns/results", + "id": "eccc4d59-74b9-4974-86f1-74386e0c7f33", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/sns/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/sqs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/sqs/results", + "id": "baecd2da-492a-4d59-b9dc-29540a1398e0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/aws_bom/sqs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/results", + "id": "1ec163d0-a9be-4695-89a8-a4028a2cbae7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/results", + "id": "99b47957-c575-4555-b8c0-ff92384249b4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/results", + "id": "8553d83f-fe77-4c96-8850-a95c5895b336", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/results", + "id": "1219a37a-9a2c-420d-8b8c-30bdbc3bfeb1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/results", + "id": "d0514e4b-9e95-4a7a-9bc5-0adb32514122", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/results", + "id": "62d120b1-b1e0-40ef-a81d-a4994ac88b3b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/results", + "id": "a7b422e3-0b2f-4795-a43a-136dbbd6cbb3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/results", + "id": "b3b9ce2f-c229-4133-9a2b-4e649cf2347e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/results", + "id": "b97a1065-a86b-442f-86c4-f95afd9b3ac6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/results", + "id": "8ce5c61f-5cd1-41bc-b7d9-b26b18efd505", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/results", + "id": "f677bd92-3922-4e75-8f0c-2c0f8fbc9609", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/results", + "id": "a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/results", + "id": "b897dfbf-322c-45a8-b67c-1e698beeaa51", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/results", + "id": "b17d8bb8-4c08-4785-867e-cb9e62a622aa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_network_policy_misconfigured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_network_policy_misconfigured/results", + "id": "f5342045-b935-402d-adf1-8dbbd09c0eef", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_network_policy_misconfigured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_private_cluster_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_private_cluster_disabled/results", + "id": "599318f2-6653-4569-9e21-041d06c63a89", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_private_cluster_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_rbac_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_rbac_disabled/results", + "id": "86f92117-eed8-4614-9c6c-b26da20ff37f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_rbac_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/results", + "id": "43789711-161b-4708-b5bb-9d1c626f7492", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_without_audit_logs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_without_audit_logs/results", + "id": "0493b840-50e8-430c-93bc-d794d72931a9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/aks_without_audit_logs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_authentication_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_authentication_disabled/results", + "id": "c7fc1481-2899-4490-bbd8-544a3a61a2f3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_authentication_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/results", + "id": "85da374f-b00f-4832-9d44-84a1ca1e89f8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_http2_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_http2_disabled/results", + "id": "525b53be-62ed-4244-b4df-41aecfcb4071", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_http2_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_managed_identity_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_managed_identity_disabled/results", + "id": "b61cce4b-0cc4-472b-8096-15617a6d769b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_managed_identity_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/results", + "id": "b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/results", + "id": "0f7964fa-96fd-4a72-9fb7-3cdef71479db", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_without_latest_php_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_without_latest_php_version/results", + "id": "96fe318e-d631-4156-99fa-9080d57280ae", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_without_latest_php_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_without_latest_python_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_without_latest_python_version/results", + "id": "cc4aaa9d-1070-461a-b519-04e00f42db8a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/app_service_without_latest_python_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_active_directory_authentication/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_active_directory_authentication/results", + "id": "a21c8da9-41bf-40cf-941d-330cf0d11fc7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_active_directory_authentication/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/results", + "id": "a81573f9-3691-4d83-88a0-7d4af63e17a3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/results", + "id": "4a9e0f00-0765-4f72-a0d4-d31110b78279", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/results", + "id": "77deea6a-155e-4865-bf04-153d23e488e8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_container_registry_with_no_locks/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_container_registry_with_no_locks/results", + "id": "a187ac47-8163-42ce-8a63-c115236be6fb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_container_registry_with_no_locks/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_front_door_waf_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_front_door_waf_disabled/results", + "id": "835a4f2f-df43-437d-9943-545ccfc55961", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_front_door_waf_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_instance_using_basic_authentication/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_instance_using_basic_authentication/results", + "id": "dafe30ec-325d-4516-85d1-e8e6776f012c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/azure_instance_using_basic_authentication/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/backup_vault_without_immutability/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/backup_vault_without_immutability/results", + "id": "7a0164a5-ec6e-40b2-938d-ab3edfd37dcd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/backup_vault_without_immutability/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/backup_vault_without_soft_delete/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/backup_vault_without_soft_delete/results", + "id": "8d407b28-c746-4650-8bbd-d27df54a795f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/backup_vault_without_soft_delete/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/blob_storage_without_soft_delete/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/blob_storage_without_soft_delete/results", + "id": "056d28cc-7ee9-4b12-b2d1-16b7b66db72d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/blob_storage_without_soft_delete/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/container_app_managed_identity_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/container_app_managed_identity_disabled/results", + "id": "829246df-02c5-490c-993b-10a07a7242e9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/container_app_managed_identity_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/container_group_managed_identity_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/container_group_managed_identity_disabled/results", + "id": "02f0e3e7-2550-4d75-a23b-ab5254a3ebeb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/container_group_managed_identity_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/results", + "id": "71884fcb-ae03-41c8-87b9-22c90353f256", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/containers_without_soft_delete/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/containers_without_soft_delete/results", + "id": "12ecec8a-7961-48db-b644-86be8845d8fd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/containers_without_soft_delete/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/cosmos_db_account_without_tags/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/cosmos_db_account_without_tags/results", + "id": "56dad03e-e94f-4dd6-93a4-c253a03ff7a0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/cosmos_db_account_without_tags/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/results", + "id": "c2a3efb6-8a58-481c-82f2-bfddf34bb4b7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/dashboard_is_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/dashboard_is_enabled/results", + "id": "61c3cb8b-0715-47e4-b788-86dde40dd2db", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/dashboard_is_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/results", + "id": "0bd3630a-2ae9-4522-9d66-04049654b1df", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/databricks_workspace_using_default_virtual_network/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/databricks_workspace_using_default_virtual_network/results", + "id": "05d6b52e-11ca-453d-bb3a-21c7c853ee92", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/databricks_workspace_using_default_virtual_network/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/databricks_workspace_without_cmk/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/databricks_workspace_without_cmk/results", + "id": "416ac446-9a2e-4f6d-84d2-82add788c7da", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/databricks_workspace_without_cmk/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/results", + "id": "a5613650-32ec-4975-a305-31af783153ea", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/results", + "id": "21fa1872-47b3-46ec-9775-f41e85d80cb4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled/results", + "id": "68403c84-8497-449b-9946-ae848765813f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/email_alerts_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/email_alerts_disabled/results", + "id": "9db38e87-f6aa-4b5e-a1ec-7266df259409", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/email_alerts_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/results", + "id": "a99130ab-4c0e-43aa-97f8-78d4fcb30024", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/file_share_without_soft_delete/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/file_share_without_soft_delete/results", + "id": "54087baa-8719-48a8-8460-9cc0962117aa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/file_share_without_soft_delete/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/results", + "id": "a829b715-cf75-4e92-b645-54c9b739edfb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_authentication_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_authentication_disabled/results", + "id": "e65a0733-94a0-4826-82f4-df529f4c593f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_authentication_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_client_certificates_unrequired/results", + "id": "9bb3c639-5edf-458c-8ee5-30c17c7d671d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_client_certificates_unrequired/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/results", + "id": "03928f0d-bff0-4feb-a31a-615d093e6026", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/results", + "id": "9dab0179-433d-4dff-af8f-0091025691df", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_http2_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_http2_disabled/results", + "id": "ace823d1-4432-4dee-945b-cdf11a5a6bd0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_http2_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_managed_identity_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_managed_identity_disabled/results", + "id": "c87749b3-ff10-41f5-9df2-c421e8151759", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_managed_identity_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/results", + "id": "45fc717a-bd86-415c-bdd8-677901be1aa6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/geo_redundancy_is_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/geo_redundancy_is_disabled/results", + "id": "8b042c30-e441-453f-b162-7696982ebc58", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/geo_redundancy_is_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_expiration_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_expiration_not_set/results", + "id": "4d080822-5ee2-49a4-8984-68f3d4c890fc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_expiration_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_vault_purge_protection_is_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_vault_purge_protection_is_enabled/results", + "id": "cec6e005-9309-46eb-b34b-456f6eae818b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_vault_purge_protection_is_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/results", + "id": "f8e08a38-fc6e-4915-abbe-a7aadf1d59ef", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_vault_without_hsm_protection/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_vault_without_hsm_protection/results", + "id": "fbb8e5e0-6dea-41d3-8739-4f2405b0e22a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/key_vault_without_hsm_protection/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/kubernetes_cluster_managed_identity_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/kubernetes_cluster_managed_identity_disabled/results", + "id": "9b0140d1-50c1-4deb-ba58-472315c7a1ae", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/kubernetes_cluster_managed_identity_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/log_retention_is_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/log_retention_is_not_set/results", + "id": "ffb02aca-0d12-475e-b77c-a726f7aeff4b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/log_retention_is_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/logic_app_managed_identity_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/logic_app_managed_identity_disabled/results", + "id": "7fa50094-0ca5-4253-aa71-f1a3b575d4a5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/logic_app_managed_identity_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mariadb_public_network_access_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mariadb_public_network_access_enabled/results", + "id": "7f0a8696-7159-4337-ad0d-8a3ab4a78195", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mariadb_public_network_access_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/results", + "id": "0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_not_using_latest_tls_encryption_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_not_using_latest_tls_encryption_version/results", + "id": "22cb3507-1ef4-44ac-9c9a-cab31167e31e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_not_using_latest_tls_encryption_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_server_auditing_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_server_auditing_disabled/results", + "id": "609839ae-bd81-4375-9910-5bce72ae7b92", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_server_auditing_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/results", + "id": "25cd1853-7e80-4106-9ac3-03f8636c25be", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/results", + "id": "ade36cf4-329f-4830-a83d-9db72c800507", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mysql_server_public_access_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mysql_server_public_access_enabled/results", + "id": "f118890b-2468-42b1-9ce9-af35146b425b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mysql_server_public_access_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mysql_ssl_connection_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mysql_ssl_connection_disabled/results", + "id": "73e42469-3a86-4f39-ad78-098f325b4e9f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/mysql_ssl_connection_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/results", + "id": "4216ebac-d74c-4423-b437-35025cb88af5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/network_interfaces_with_public_ip/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/network_interfaces_with_public_ip/results", + "id": "c1573577-e494-4417-8854-7e119368dc8b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/network_interfaces_with_public_ip/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/network_watcher_flow_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/network_watcher_flow_disabled/results", + "id": "b90842e5-6779-44d4-9760-972f4c03ba1c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/network_watcher_flow_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/results", + "id": "3790d386-be81-4dcf-9850-eaa7df6c10d9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_connections_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_connections_not_set/results", + "id": "c640d783-10c5-4071-b6c1-23507300d333", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_connections_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/results", + "id": "07f7134f-9f37-476e-8664-670c218e4702", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_duration_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_duration_not_set/results", + "id": "16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_log_duration_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_not_using_latest_tls_encryption_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_not_using_latest_tls_encryption_version/results", + "id": "9f15ecc4-d9df-44ba-bb88-28c97e946114", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_not_using_latest_tls_encryption_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/results", + "id": "6425c98b-ca4e-41fe-896a-c78772c131f8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/results", + "id": "c407c3cf-c409-4b29-b590-db5f4138d332", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/results", + "id": "2b3c671f-1b76-4741-8789-ed1fe0785dc4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/public_storage_account/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/public_storage_account/results", + "id": "17f75827-0684-48f4-8747-61129c7e4198", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/public_storage_account/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/results", + "id": "efbf6449-5ec5-4cfe-8f15-acc51e0d787c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/results", + "id": "d3ba7d62-bd07-4102-88ca-9668e5f08e7d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/results", + "id": "0af1814d-23d7-472e-a1b8-b265e7b0d88f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/results", + "id": "b373043c-f3bf-40db-b67a-c982732c7781", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/results", + "id": "e29a75e6-aba3-4896-b42d-b87818c16b58", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/results", + "id": "d501246e-45d4-48fd-8975-a23e7124bdfc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_cache_not_using_latest_tls_encryption_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_cache_not_using_latest_tls_encryption_version/results", + "id": "e22e5620-3679-418e-bb74-c9f71731ab0f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_cache_not_using_latest_tls_encryption_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_entirely_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_entirely_accessible/results", + "id": "fd8da341-6760-4450-b26c-9f6d8850575e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_entirely_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_not_updated_regularly/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_not_updated_regularly/results", + "id": "b947809d-dd2f-4de9-b724-04d101c515aa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_not_updated_regularly/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_publicly_accessible/results", + "id": "5089d055-53ff-421b-9482-a5267bdce629", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/redis_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/resource_without_diagnostic_settings/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/resource_without_diagnostic_settings/results", + "id": "50f32d3c-096e-406a-bb26-71b3c91c11c0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/resource_without_diagnostic_settings/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/results", + "id": "8e75e431-449f-49e9-b56a-c8f1378025cf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/results", + "id": "3fa5900f-9aac-4982-96b2-a6143d9c99fb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/secret_expiration_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/secret_expiration_not_set/results", + "id": "dfa20ffa-f476-428f-a490-424b41e91c7f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/secret_expiration_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/results", + "id": "819d50fd-1cdf-45c3-9936-be408aaad93e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/security_contact_email/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/security_contact_email/results", + "id": "34664094-59e0-4524-b69f-deaa1a68cce3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/security_contact_email/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/security_group_is_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/security_group_is_not_configured/results", + "id": "5c822443-e1ea-46b8-84eb-758ec602e844", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/security_group_is_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/results", + "id": "594c198b-4d79-41b8-9b36-fde13348b619", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/results", + "id": "e9dee01f-2505-4df2-b9bf-7804d1fd9082", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/results", + "id": "c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/service_without_resource_logging/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/service_without_resource_logging/results", + "id": "8a0628ed-6256-4a24-a1ab-54696fb69197", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/service_without_resource_logging/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_activity_log_retention_period/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_activity_log_retention_period/results", + "id": "2b856bf9-8e8c-4005-875f-303a8cba3918", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_activity_log_retention_period/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_flow_logs_retention_period/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_flow_logs_retention_period/results", + "id": "7750fcca-dd03-4d38-b663-4b70289bcfd4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_flow_logs_retention_period/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_msql_server_audit_retention/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_msql_server_audit_retention/results", + "id": "59acb56b-2b10-4c2c-ba38-f2223c3f5cfc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_msql_server_audit_retention/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_mssql_audit_retention_period/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_mssql_audit_retention_period/results", + "id": "9c301481-e6ec-44f7-8a49-8ec63e2969ea", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_mssql_audit_retention_period/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/results", + "id": "261a83f8-dd72-4e8c-b5e1-ebf06e8fe606", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_database_audit_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_database_audit_disabled/results", + "id": "83a229ba-483e-47c6-8db7-dc96969bce5a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_database_audit_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_database_without_data_encryption/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_database_without_data_encryption/results", + "id": "0745bb3f-60dc-43b6-90ae-67bb01fd1775", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_database_without_data_encryption/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_alert_email_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_alert_email_disabled/results", + "id": "55975007-f6e7-4134-83c3-298f1fe4b519", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_alert_email_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_auditing_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_auditing_disabled/results", + "id": "f7e296b0-6660-4bc5-8f87-22ac4a815edf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_auditing_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/results", + "id": "25c0ea09-f1c5-4380-b055-3b83863f2bb8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/results", + "id": "bcd3fc01-5902-4f2a-b05a-227f9bbf5450", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/results", + "id": "2ab6de9a-0136-415c-be92-79d2e4fd750f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/results", + "id": "3e3c175e-aadf-4e2b-a464-3fdac5748d24", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/ssl_enforce_is_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/ssl_enforce_is_disabled/results", + "id": "0437633b-daa6-4bbc-8526-c0d2443b946e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/ssl_enforce_is_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_not_forcing_https/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_not_forcing_https/results", + "id": "12944ec4-1fa0-47be-8b17-42a034f937c2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_not_forcing_https/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/results", + "id": "621fc7c5-c342-4223-b3dd-d1530acb43ae", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/results", + "id": "8263f146-5e03-43e0-9cfe-db960d56d1e7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/results", + "id": "233ab26d-8f17-4dce-9616-41479da9ffe3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/results", + "id": "50e0a9e3-7360-483c-9873-ba1ea1a7faf8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_with_shared_access_key/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_with_shared_access_key/results", + "id": "45f3e879-f8a7-4102-a3fa-46da5a849870", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_with_shared_access_key/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_without_cmk/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_without_cmk/results", + "id": "9bf1568d-4cd2-4581-81ef-d2efabee1178", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_without_cmk/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_without_delete_lock/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_without_delete_lock/results", + "id": "0cc95bf8-9b98-4278-ad9f-fea4aed3d271", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_account_without_delete_lock/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_container_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_container_is_publicly_accessible/results", + "id": "dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_container_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_share_allows_all_acl_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_share_allows_all_acl_permissions/results", + "id": "5ed0a5f3-6b81-4a6c-a7d1-0f1d8d9ae806", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_share_allows_all_acl_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/results", + "id": "3ac3e75c-6374-4a32-8ba0-6ed69bda404e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/results", + "id": "5400f379-a347-4bdd-a032-446465fdcc6f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/unrestricted_sql_server_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/unrestricted_sql_server_access/results", + "id": "d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/unrestricted_sql_server_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/results", + "id": "41d7989b-3be2-4081-8c79-cf903dd174c5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vault_auditing_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vault_auditing_disabled/results", + "id": "38c71c00-c177-4cd7-8d36-cd1007cdb190", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vault_auditing_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/results", + "id": "b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_not_attached_to_network/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_not_attached_to_network/results", + "id": "bbf6b3df-4b65-4f87-82cc-da9f30f8c033", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_not_attached_to_network/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/results", + "id": "187e6d39-5e1e-4afa-9c0a-b79632eef346", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_with_extension_operations_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_with_extension_operations_enabled/results", + "id": "59528fe9-0c8e-4153-8016-445911a2d933", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_with_extension_operations_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/results", + "id": "a5cfef8f-910e-4fd6-8155-f381b236a492", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_without_encryption_at_host/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_without_encryption_at_host/results", + "id": "30c7c2f1-c048-49ba-81a4-ae465bbb3335", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_without_encryption_at_host/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_without_managed_disk/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_without_managed_disk/results", + "id": "0536c90c-714e-4184-991e-3fed8d8b7b46", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/vm_without_managed_disk/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/results", + "id": "2e48d91c-50e4-45c8-9312-27b625868a72", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/results", + "id": "11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/autoscale_badly_setup/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/autoscale_badly_setup/results", + "id": "953c0cc6-5f30-44cb-a803-bf4ef2571be8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/autoscale_badly_setup/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/cluster_aws_attributes/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/cluster_aws_attributes/results", + "id": "b0749c53-e3ff-4d09-bbe4-dca94e2e7a38", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/cluster_aws_attributes/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/cluster_azure_attributes/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/cluster_azure_attributes/results", + "id": "38028698-e663-4ef7-aa92-773fef0ca86f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/cluster_azure_attributes/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/cluster_gcp_attributes/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/cluster_gcp_attributes/results", + "id": "539e4557-d2b5-4d57-a001-cb01140a4e2d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/cluster_gcp_attributes/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/databricks_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/databricks_permissions/results", + "id": "a4edb7e1-c0e0-4f7f-9d7c-d1b603e81ad5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/databricks_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/group_without_user_or_instance_profile/results", + "id": "23c3067a-8cc9-480c-b645-7c1e0ad4bf60", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/group_without_user_or_instance_profile/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/indefinitely_obo_token/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/indefinitely_obo_token/results", + "id": "23e1f5f0-12b7-4d7e-9087-f60f42ccd514", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/indefinitely_obo_token/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/indefinitely_token/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/indefinitely_token/results", + "id": "7d05ca25-91b4-42ee-b6f6-b06611a87ce8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/indefinitely_token/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/unrestricted_acl/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/unrestricted_acl/results", + "id": "2c4fe4a9-f44b-4c70-b09b-5b75cd251805", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/unrestricted_acl/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/use_lts_spark_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/use_lts_spark_version/results", + "id": "5a627dfa-a4dd-4020-a4c6-5f3caf4abcd6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/use_lts_spark_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/use_spark_submit_task/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/use_spark_submit_task/results", + "id": "375cdab9-3f94-4ae0-b1e3-8fbdf9cdf4d7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/databricks/use_spark_submit_task/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/bigquery_dataset_is_public/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/bigquery_dataset_is_public/results", + "id": "e576ce44-dd03-4022-a8c0-3906acca2ab4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/bigquery_dataset_is_public/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/results", + "id": "4f60da73-190e-4048-8e1d-cc5a3974cd15", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_dns_without_dnssec/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_dns_without_dnssec/results", + "id": "5ef61c88-bbb4-4725-b1df-55d23c9676bb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_dns_without_dnssec/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/results", + "id": "a6cd52a1-3056-4910-96a5-894de9f3f3b3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/results", + "id": "c010082c-76e0-4b91-91d9-6e8439e455dd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/results", + "id": "d6cabc3a-d57e-48c2-b341-bf3dd4f4a120", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/results", + "id": "e7e961ac-d17e-4413-84bc-8a1fbe242944", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cluster_labels_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cluster_labels_disabled/results", + "id": "65c1bc7a-4835-4ac4-a2b6-13d310b0648d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cluster_labels_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/results", + "id": "99976ba0-aa37-4745-93a6-5f1d55997f67", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cos_node_image_not_used/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cos_node_image_not_used/results", + "id": "8a893e46-e267-485a-8690-51f39951de58", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/cos_node_image_not_used/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/disk_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/disk_encryption_disabled/results", + "id": "b1d51728-7270-4991-ac2f-fc26e2695b38", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/disk_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/dnssec_using_rsasha1/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/dnssec_using_rsasha1/results", + "id": "ccc3100c-0fdd-4a5e-9908-c10107291860", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/dnssec_using_rsasha1/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/results", + "id": "7bd9c6a8-3b1f-495c-9752-a4a9c4e1b29f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/results", + "id": "c1701dcf-24df-4675-b863-340233c4e34f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/results", + "id": "5baa92d2-d8ee-4c75-88a4-52d9d8bb8067", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/gke_using_default_service_account/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/gke_using_default_service_account/results", + "id": "1c8eef02-17b1-4a3e-b01d-dcc3292d2c38", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/gke_using_default_service_account/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/results", + "id": "40abce54-95b1-478c-8e5f-ea0bf0bb0e33", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/results", + "id": "22ef1d26-80f8-4a6c-8c15-f35aab3cac78", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/results", + "id": "e6f61c37-106b-449f-a5bb-81bfcaceb8b4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/results", + "id": "14a457f0-473d-4d1d-9e37-6d99b355b336", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/results", + "id": "40430747-442d-450a-a34f-dc57149f4609", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/results", + "id": "ee7b93c1-b3f8-4a3b-9588-146d481814f5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/results", + "id": "acfdbec6-4a17-471f-b412-169d77553332", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/results", + "id": "cc9e464e-5abc-4c8f-8077-a9aa7ebe6a05", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_kubernetes_engine_cluster_has_alpha_features_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_kubernetes_engine_cluster_has_alpha_features_enabled/results", + "id": "8ca7e731-56f6-4fb4-9b98-fcb0a93518c8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_kubernetes_engine_cluster_has_alpha_features_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/results", + "id": "59571246-3f62-4965-a96f-c7d97e269351", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/results", + "id": "617ef6ff-711e-4bd7-94ae-e965911b1b40", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/results", + "id": "84d36481-fd63-48cb-838e-635c44806ec2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/results", + "id": "c68b4e6d-4e01-4ca1-b256-1e18e875785c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/results", + "id": "bb0db090-5509-4853-a827-75ced0b3caa0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/results", + "id": "d8c57c4e-bf6f-4e32-a2bf-8643532de77b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/iam_audit_not_properly_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/iam_audit_not_properly_configured/results", + "id": "89fe890f-b480-460c-8b6b-7d8b1468adb4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/iam_audit_not_properly_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ip_aliasing_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ip_aliasing_disabled/results", + "id": "c606ba1d-d736-43eb-ac24-e16108f3a9e0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ip_aliasing_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ip_forwarding_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ip_forwarding_enabled/results", + "id": "f34c0c25-47b4-41eb-9c79-249b4dd47b89", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ip_forwarding_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/results", + "id": "92e4464a-4139-4d57-8742-b5acc0347680", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/results", + "id": "16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/results", + "id": "ced11de2-e701-4e63-83ab-4fdb1ab8c5dd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/results", + "id": "73fb21a1-b19a-45b1-b648-b47b1678681e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/results", + "id": "700f1049-7fa0-4cb0-971b-3efebfb6a91f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/results", + "id": "39d83c5a-2df4-4a2c-8ffb-b96b1bc3a813", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/results", + "id": "69d4f245-d534-479e-8bcc-f6a836276dc8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/results", + "id": "a881b71c-73ac-4358-879c-e3271db5a3c5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/network_policy_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/network_policy_disabled/results", + "id": "11e7550e-c4b6-472e-adff-c698f157cdd7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/network_policy_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/node_auto_upgrade_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/node_auto_upgrade_disabled/results", + "id": "b139213e-7d24-49c2-8025-c18faa21ecaa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/node_auto_upgrade_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/not_proper_email_account_in_use/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/not_proper_email_account_in_use/results", + "id": "9356962e-4a4f-4d06-ac59-dc8008775eaa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/not_proper_email_account_in_use/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/os_login_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/os_login_disabled/results", + "id": "32ecd6eb-0711-421f-9627-1a28d9eff217", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/os_login_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/results", + "id": "d0b4d550-c001-46c3-bbdb-d5d75d33f05f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/outdated_gke_version/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/outdated_gke_version/results", + "id": "128df7ec-f185-48bc-8913-ce756a3ccb85", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/outdated_gke_version/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/pod_security_policy_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/pod_security_policy_disabled/results", + "id": "9192e0f9-eca5-4056-9282-ae2a736a4088", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/pod_security_policy_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/private_cluster_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/private_cluster_disabled/results", + "id": "6ccb85d7-0420-4907-9380-50313f80946b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/private_cluster_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/results", + "id": "3e4d5ce6-3280-4027-8010-c26eeea1ec01", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/rdp_access_is_not_restricted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/rdp_access_is_not_restricted/results", + "id": "678fd659-96f2-454a-a2a0-c2571f83a4a3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/rdp_access_is_not_restricted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/service_account_with_improper_privileges/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/service_account_with_improper_privileges/results", + "id": "cefdad16-0dd5-4ac5-8ed2-a37502c78672", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/service_account_with_improper_privileges/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/results", + "id": "4b5ee6a4-5682-4725-8a7a-d9e9a51986c8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/results", + "id": "579a0727-9c29-4d58-8195-fc5802a8bdb4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/shielded_vm_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/shielded_vm_disabled/results", + "id": "1b44e234-3d73-41a8-9954-0b154135280e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/shielded_vm_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/results", + "id": "cf3c7631-cd1e-42f3-8801-a561214a6e79", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/results", + "id": "b187edca-b81e-4fdc-aff4-aab57db45edb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_contained_database_authentication/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_contained_database_authentication/results", + "id": "c3655703-569b-42ec-8027-ef8835d989c0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_contained_database_authentication/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/results", + "id": "b5b70198-2a34-4792-b0d9-ce99abe485bb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/results", + "id": "f5aff735-fd1c-4751-a5e9-98bfe4893fa2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_external_scripts_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_external_scripts_enabled/results", + "id": "1c329b9b-8221-4b55-8d5f-f0959faf9cee", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_external_scripts_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/results", + "id": "c8e4444e-d9a9-4426-be8e-9f1b8c43133c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_limited_user_connections/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_limited_user_connections/results", + "id": "18cb7d28-57df-4d6b-9fb4-02828cb15660", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_limited_user_connections/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/results", + "id": "51a2c34d-dfd0-436f-aa34-e8f796e052fd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_minimum_log_duration/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_minimum_log_duration/results", + "id": "00335e17-674c-442e-a64c-9436e60e6efb", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_minimum_log_duration/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/results", + "id": "5a8c5d26-c592-4c98-afac-9762c54cc868", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/results", + "id": "d4436ca8-1caf-427c-8911-8b4d31ff6b40", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/results", + "id": "02474449-71aa-40a1-87ae-e14497747b00", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_error_logging_threshold/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_error_logging_threshold/results", + "id": "13de4e49-d407-4277-ba5a-d7f59283902f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_error_logging_threshold/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/results", + "id": "ecbbe763-95dc-47e6-8660-84ff751e5acf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_without_centralized_logging/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_without_centralized_logging/results", + "id": "245eb024-d08a-449b-a1f2-02f7bba00fc2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_without_centralized_logging/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/results", + "id": "fc7187e5-b9a2-46c0-950d-3bfcaaacc5ca", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/results", + "id": "8895abb4-6491-4ae6-9c33-c2f360752b7a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ssh_access_is_not_restricted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ssh_access_is_not_restricted/results", + "id": "c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/ssh_access_is_not_restricted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/stackdriver_logging_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/stackdriver_logging_disabled/results", + "id": "4c7ebcb2-eae2-461e-bc83-456ee2d4f694", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/stackdriver_logging_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/results", + "id": "30e8dfd2-3591-4d19-8d11-79e93106c93d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/user_with_iam_role/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/user_with_iam_role/results", + "id": "704fcc44-a58f-4af5-82e2-93f2a58ef918", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/user_with_iam_role/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/using_default_service_account/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/using_default_service_account/results", + "id": "3cb4af0b-056d-4fb1-8b95-fdc4593625ff", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/using_default_service_account/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/results", + "id": "97fa667a-d05b-4f16-9071-58b939f34751", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/vm_with_full_cloud_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/vm_with_full_cloud_access/results", + "id": "bc280331-27b9-4acb-a010-018e8098aa5d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp/vm_with_full_cloud_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/dataflow/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/dataflow/results", + "id": "895ed0d9-6fec-4567-8614-d7a74b599a53", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/dataflow/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/fi/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/fi/results", + "id": "c9d81239-c818-4869-9917-1570c62b81fd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/fi/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/pd/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/pd/results", + "id": "dd7d70aa-a6ec-460d-b5d2-38b40253b16f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/pd/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/pst/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/pst/results", + "id": "4b82202a-b18e-4891-a1eb-a0989850bbb3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/pst/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/redis/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/redis/results", + "id": "bc75ce52-a60a-4660-b533-bce837a5019b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/redis/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/sb/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/sb/results", + "id": "2f06d22c-56bd-4f73-8a51-db001fcf2150", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/gcp_bom/sb/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/generic_git_module_without_revision/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/generic_git_module_without_revision/results", + "id": "3a81fc06-566f-492a-91dd-7448e409e2cd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/generic_git_module_without_revision/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/name_is_not_snake_case/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/name_is_not_snake_case/results", + "id": "1e434b25-8763-4b00-a5ca-ca03b7abbb66", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/name_is_not_snake_case/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/output_without_description/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/output_without_description/results", + "id": "59312e8a-a64e-41e7-a252-618533dd1ea8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/output_without_description/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/variable_without_description/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/variable_without_description/results", + "id": "2a153952-2544-4687-bcc9-cc8fea814a9b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/variable_without_description/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/variable_without_type/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/variable_without_type/results", + "id": "fc5109bf-01fd-49fb-8bde-4492b543c34a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/general/variable_without_type/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/results", + "id": "ce7c874e-1b88-450b-a5e4-cb76ada3c8a9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/github/github_repository_set_to_public/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/github/github_repository_set_to_public/results", + "id": "15d8a7fd-465a-4d15-a868-add86552f17b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/github/github_repository_set_to_public/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/results", + "id": "17172bc2-56fb-4f17-916f-a014147706cd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/results", + "id": "a9174d31-d526-4ad9-ace4-ce7ddbf52e03", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_host_pid_is_true/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_host_pid_is_true/results", + "id": "587d5d82-70cf-449b-9817-f60f9bccb88c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_host_pid_is_true/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_is_privileged/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_is_privileged/results", + "id": "87065ef8-de9b-40d8-9753-f4a4303e27a4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_is_privileged/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_resources_limits_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_resources_limits_undefined/results", + "id": "60af03ff-a421-45c8-b214-6741035476fa", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_resources_limits_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_runs_unmasked/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_runs_unmasked/results", + "id": "0ad60203-c050-4115-83b6-b94bde92541d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_runs_unmasked/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_with_added_capabilities/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_with_added_capabilities/results", + "id": "fe771ff7-ba15-4f8f-ad7a-8aa232b49a28", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/container_with_added_capabilities/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/results", + "id": "3f55386d-75cd-4e9a-ac47-167b26c04724", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cpu_limits_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cpu_limits_not_set/results", + "id": "5f4735ce-b9ba-4d95-a089-a37a767b716f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cpu_limits_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cpu_requests_not_set/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cpu_requests_not_set/results", + "id": "577ac19c-6a77-46d7-9f14-e049cdd15ec2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cpu_requests_not_set/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/results", + "id": "58876b44-a690-4e9f-9214-7735fa0dd15d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/default_service_account_in_use/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/default_service_account_in_use/results", + "id": "737a0dd9-0aaa-4145-8118-f01778262b8a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/default_service_account_in_use/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/results", + "id": "461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/results", + "id": "a05331ee-1653-45cb-91e6-13637a76e4f0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/results", + "id": "4e203a65-c8d8-49a2-b749-b124d43c9dc1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/results", + "id": "17e52ca3-ddd0-4610-9d56-ce107442e110", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/results", + "id": "aa737abf-6b1d-4aba-95aa-5c160bd7f96e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/image_without_digest/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/image_without_digest/results", + "id": "228c4c19-feeb-4c18-848c-800ac70fdfb7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/image_without_digest/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/results", + "id": "26b047a9-0329-48fd-8fb7-05bbe5ba80ee", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/results", + "id": "e2c83c1f-84d7-4467-966c-ed41fd015bb9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/invalid_image/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/invalid_image/results", + "id": "e76cca7c-c3f9-4fc9-884c-b2831168ebd8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/invalid_image/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/results", + "id": "5b6d53dd-3ba3-4269-b4d7-f82e880e43c3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/memory_limits_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/memory_limits_not_defined/results", + "id": "fd097ed0-7fe6-4f58-8b71-fef9f0820a21", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/memory_limits_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/memory_requests_not_defined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/memory_requests_not_defined/results", + "id": "21719347-d02b-497d-bda4-04a03c8e5b61", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/memory_requests_not_defined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/metadata_label_is_invalid/results", + "id": "bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/metadata_label_is_invalid/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/missing_app_armor_config/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/missing_app_armor_config/results", + "id": "bd6bd46c-57db-4887-956d-d372f21291b6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/missing_app_armor_config/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/results", + "id": "9aa32890-ac1a-45ee-81ca-5164e2098556", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/results", + "id": "e5587d53-a673-4a6b-b3f2-ba07ec274def", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/results", + "id": "b80b14c6-aaa2-4876-b651-8a48b6c32fbf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/results", + "id": "21cef75f-289f-470e-8038-c7cee0664164", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/results", + "id": "86a947ea-f577-4efb-a8b0-5fc00257d521", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/results", + "id": "522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/results", + "id": "ad69e38a-d92e-4357-a8da-f2f29d545883", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/privilege_escalation_allowed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/privilege_escalation_allowed/results", + "id": "c878abb4-cca5-4724-92b9-289be68bd47c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/privilege_escalation_allowed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/results", + "id": "4950837c-0ce5-4e42-9bee-a25eae73740b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/results", + "id": "2bff9906-4e9b-4f71-9346-8ebedfdf43ef", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/results", + "id": "51bed0ac-a8ae-407a-895e-90c6cb0610ce", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_set_to_privileged/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_set_to_privileged/results", + "id": "a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_set_to_privileged/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_with_added_capabilities/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_with_added_capabilities/results", + "id": "48388bd2-7201-4dcc-b56d-e8a9efa58fad", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/psp_with_added_capabilities/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/results", + "id": "826abb30-3cd5-4e0b-a93b-67729b4f7e63", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/results", + "id": "8657197e-3f87-4694-892b-8144701d83c1", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/results", + "id": "3360c01e-c8c0-4812-96a2-a6329b9b7f9f", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/results", + "id": "d532566b-8d9d-4f3b-80bd-361fe802f9c2", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/root_containers_admitted/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/root_containers_admitted/results", + "id": "4c415497-7410-4559-90e8-f2c8ac64ee38", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/root_containers_admitted/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/results", + "id": "455f2e0c-686d-4fcb-8b5f-3f953f12c43c", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/secrets_as_environment_variables/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/secrets_as_environment_variables/results", + "id": "6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/secrets_as_environment_variables/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/results", + "id": "07fc3413-e572-42f7-9877-5c8fc6fccfb5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/results", + "id": "24b132df-5cc7-4823-8029-f898e1c50b72", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/results", + "id": "a9a13d4f-f17a-491b-b074-f54bffffcb4a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_type_is_nodeport/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_type_is_nodeport/results", + "id": "5c281bf8-d9bb-47f2-b909-3f6bb11874ad", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_type_is_nodeport/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_with_external_load_balancer/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_with_external_load_balancer/results", + "id": "2a52567c-abb8-4651-a038-52fa27c77aed", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/service_with_external_load_balancer/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/results", + "id": "e94d3121-c2d1-4e34-a295-139bfeb73ea3", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/shared_host_network_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/shared_host_network_namespace/results", + "id": "ac1564a3-c324-4747-9fa1-9dfc234dace0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/shared_host_network_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/shared_service_account/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/shared_service_account/results", + "id": "f74b9c43-161a-4799-bc95-0b0ec81801b9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/shared_service_account/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/statefulset_requests_storage/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/statefulset_requests_storage/results", + "id": "fcc2612a-1dfe-46e4-8ce6-0320959f0040", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/statefulset_requests_storage/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/results", + "id": "7249e3b0-9231-4af3-bc5f-5daf4988ecbf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/statefulset_without_service_name/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/statefulset_without_service_name/results", + "id": "420e6360-47bb-46f6-9072-b20ed22c842d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/statefulset_without_service_name/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/tiller_is_deployed/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/tiller_is_deployed/results", + "id": "ca2fba76-c1a7-4afd-be67-5249f861cb0e", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/tiller_is_deployed/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/using_default_namespace/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/using_default_namespace/results", + "id": "abcb818b-5af7-4d72-aba9-6dd84956b451", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/using_default_namespace/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/results", + "id": "a62a99d1-8196-432f-8f80-3c100b05d62a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/workload_host_port_not_specified/results", + "id": "4e74cf4f-ff65-4c1a-885c-67ab608206ce", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/workload_host_port_not_specified/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/results", + "id": "a737be28-37d8-4bff-aa6d-1be8aa0a0015", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_instance_has_common_private/results", + "id": "df58dd45-8009-43c2-90f7-c90eb9d53ed9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_instance_has_common_private/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/results", + "id": "b2ea2367-8dc9-4231-a035-d0b28bfa3dde", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/results", + "id": "89218b48-75c9-4cb3-aaba-5299e852e8bc", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/results", + "id": "41c127a9-3a85-4bc3-a333-ed374eb9c3e4", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/results", + "id": "e4610872-0b1c-4fb7-ab57-d81c0afdb291", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/results", + "id": "e5071f76-cbe7-468d-bb2b-d10f02d2b713", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_has_public_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_has_public_access/results", + "id": "fb387023-e4bb-42a8-9a70-6708aa7ff21b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_has_public_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_instance_has_common_private/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_instance_has_common_private/results", + "id": "9bf57c23-fbab-4222-85f3-3f207a53c6a8", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_instance_has_common_private/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_security_group_description_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_security_group_description_undefined/results", + "id": "940ddce2-26bd-4e31-a9b4-382714f73231", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_security_group_description_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/results", + "id": "a0b846e8-815f-4f15-b660-bc4ab9fa1e1a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/dns_has_verified_record/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/dns_has_verified_record/results", + "id": "a1defcb6-55e8-4511-8c2a-30b615b0e057", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/dns_has_verified_record/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/elb_has_common_private/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/elb_has_common_private/results", + "id": "5061f84c-ab66-4660-90b9-680c9df346c0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/elb_has_common_private/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/elb_listener_use_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/elb_listener_use_http/results", + "id": "afcb0771-4f94-44ed-ad4a-9f73f11ce6e0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/elb_listener_use_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/elb_use_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/elb_use_http/results", + "id": "e2de2b80-2fc2-4502-a764-40930dfcc70a", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/elb_use_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/results", + "id": "9f751a80-31f0-43a3-926c-20772791a038", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_use_http/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_use_http/results", + "id": "94e47f3f-b90b-43a1-a36d-521580bae863", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_use_http/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/results", + "id": "944439c7-b4b8-476a-8f83-14641ea876ba", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/results", + "id": "675e8eaa-2754-42b7-bf33-bfa295d1601d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/nas_instance_has_common_private/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/nas_instance_has_common_private/results", + "id": "4b801c38-ebb4-4c81-984b-1ba525d43adf", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/nas_instance_has_common_private/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/results", + "id": "e840c54a-7a4c-405f-b8c1-c49a54b87d11", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/results", + "id": "8d7758a7-d9cd-499a-a83e-c9bdcbff728d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/router_has_common_private/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/router_has_common_private/results", + "id": "30c2760c-740e-4672-9d7f-2c29e0cb385d", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/router_has_common_private/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/router_security_group_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/router_security_group_undefined/results", + "id": "e7dada38-af20-4899-8955-dabea84ab1f0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/router_security_group_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/results", + "id": "b3535a48-910c-47f8-8b3b-14222f29ef80", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/results", + "id": "5d820574-4a60-4916-b049-0810b8629731", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/results", + "id": "18d6aa4b-7570-4d95-9c75-90363ef1abd9", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/results", + "id": "ca94be07-7de3-4ae7-85ef-67e0462ec694", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/results", + "id": "ada01ed1-b10c-4f2a-b110-b20fa4f9baa6", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/results", + "id": "fe08b81c-12e9-4b5e-9006-4218fca750fd", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/results", + "id": "966ed4f7-b8a5-4e8d-b2bf-098657c98960", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/results", + "id": "a74b4602-a62c-4a02-956a-e19f86ea24b5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/results", + "id": "93bb2065-63ec-45a2-a466-f106b56f2e32", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/results", + "id": "b4e75c5c-83d5-4568-90e3-57ed5ec4051b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/results", + "id": "5bb6fa08-5e84-4760-a54a-cdcd66626976", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/disk_encryption_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/disk_encryption_disabled/results", + "id": "1ee0f202-31da-49ba-bbce-04a989912e4b", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/disk_encryption_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/results", + "id": "d135a36e-c474-452f-b891-76db1e6d1cd5", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/results", + "id": "3ed47402-e322-465f-a0f0-8681135a17b0", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/results", + "id": "df6928ed-02f4-421f-9a67-a529860dd7e7", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/results", + "id": "fe405074-7e18-40f9-9aef-024aa1d0a889", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/payloads" + }, + { + "test_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/test", + "results_file_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/results", + "id": "a3240001-40db-47b7-abb9-2bcd6a04c430", + "payload_path": "/home/ricardomqj/Desktop/kics/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/payloads" + } + ] +} \ No newline at end of file diff --git a/.github/scripts/generate-positive-expected-results/write_expected_results.py b/.github/scripts/generate-positive-expected-results/write_expected_results.py new file mode 100644 index 00000000000..926bac45405 --- /dev/null +++ b/.github/scripts/generate-positive-expected-results/write_expected_results.py @@ -0,0 +1,172 @@ +import json +from pathlib import Path + +from models import TestList +from runner import run_all + + +def deduplicate_results(results: list[dict]) -> list[dict]: + """Remove duplicate results, keeping only the first occurrence of each unique result.""" + seen = set() + deduplicated = [] + for result in results: + result_tuple = ( + result["queryName"], + result["severity"], + result["line"], + result["filename"], + result["resourceType"], + result["resourceName"], + result["searchKey"], + result["searchValue"], + result["expectedValue"], + result["actualValue"], + ) + if result_tuple not in seen: + seen.add(result_tuple) + deduplicated.append(result) + return deduplicated + + +def _get_subdir_filenames(test_dir: Path) -> dict[str, Path]: + """Build a mapping of filename -> subdirectory path for files inside positive subdirectories. + + Some test directories contain positive test subdirectories (e.g. positive2/) that have their + own files and their own positive_expected_result.json. This function maps filenames found + inside those subdirectories so results can be routed to the correct location. + """ + filename_to_subdir: dict[str, Path] = {} + for item in test_dir.iterdir(): + if item.is_dir() and item.name.startswith("positive"): + for child in item.iterdir(): + if child.is_file() and child.name != "positive_expected_result.json": + filename_to_subdir[child.name] = item + return filename_to_subdir + + +def _write_results_file(output_file: Path, results: list[dict]) -> None: + """Deduplicate, sort, and write results to a positive_expected_result.json file.""" + results = deduplicate_results(results) + results.sort(key=lambda r: ( + r["filename"], + r["line"] if isinstance(r["line"], int) else 0, + )) + output_file.parent.mkdir(parents=True, exist_ok=True) + with open(output_file, "w", encoding="utf-8") as f: + json.dump(results, f, indent=2, ensure_ascii=False) + + +def write_positive_expected_results(test_list: TestList) -> None: + """For each query, write positive_expected_result.json in the test_path directory. + + When a test directory contains positive subdirectories (e.g. positive2/), results + for files inside those subdirectories are written to the subdirectory's own + positive_expected_result.json instead of the top-level one. + """ + total = len(test_list.queries_list) + written = 0 + skipped = 0 + + for i, query in enumerate(test_list.queries_list, start=1): + if not query.results_info: + print(f"[{i}/{total}] Skipping query {query.id} — no results") + skipped += 1 + continue + + test_dir = Path(query.test_path) + test_dir.mkdir(parents=True, exist_ok=True) + + # Map filenames inside positive subdirectories to their subdirectory + subdir_filenames = _get_subdir_filenames(test_dir) + + # Route results: top-level vs subdirectory + top_level_results: list[dict] = [] + subdir_results: dict[str, list[dict]] = {} + + for ri in query.results_info: + result = { + "queryName": ri.query_name, + "severity": ri.severity, + "line": int(ri.line) if ri.line.isdigit() else ri.line, + "filename": ri.filename, + "resourceType": ri.resource_type, + "resourceName": ri.resource_name, + "searchKey": ri.search_key, + "searchValue": ri.search_value, + "expectedValue": ri.expected_value, + "actualValue": ri.actual_value, + } + + if ri.filename in subdir_filenames: + subdir_path = str(subdir_filenames[ri.filename]) + subdir_results.setdefault(subdir_path, []).append(result) + else: + top_level_results.append(result) + + # Write top-level positive_expected_result.json + if top_level_results: + output_file = test_dir / "positive_expected_result.json" + _write_results_file(output_file, top_level_results) + print(f"[{i}/{total}] Wrote {output_file} ({len(top_level_results)} results)") + written += 1 + + # Write subdirectory positive_expected_result.json files + for subdir_path, results in subdir_results.items(): + output_file = Path(subdir_path) / "positive_expected_result.json" + _write_results_file(output_file, results) + print(f"[{i}/{total}] Wrote {output_file} ({len(results)} results)") + written += 1 + + if not top_level_results and not subdir_results: + print(f"[{i}/{total}] Skipping query {query.id} — no results after routing") + skipped += 1 + + print(f"\nDone: {written} files written, {skipped} skipped") + + +def write_skipped_queries_report(test_list: TestList, output_path: str | Path | None = None) -> None: + """Write a JSON report of queries that produced no results, including the raw scan output.""" + if output_path is None: + output_path = Path(__file__).resolve().parent / "skipped_queries_report.json" + else: + output_path = Path(output_path) + + skipped_queries = [] + + for query in test_list.queries_list: + if query.results_info: + continue + + raw_results = None + results_file = Path(query.results_file_path) / "all_results.json" + if results_file.is_file(): + with open(results_file, "r", encoding="utf-8") as f: + raw_results = json.load(f) + + skipped_queries.append({ + "id": query.id, + "test_path": query.test_path, + "results_file_path": query.results_file_path, + "return_code": query.return_code, + "all_results": raw_results, + }) + + with open(output_path, "w", encoding="utf-8") as f: + json.dump(skipped_queries, f, indent=2, ensure_ascii=False) + + print(f"Skipped queries report: {output_path} ({len(skipped_queries)} queries)") + + +if __name__ == "__main__": + # 1. Run scans and get TestList with results_info populated + test_list = run_all() + + # 2. Write positive_expected_result.json for each query + print(f"\n{'='*60}") + print("Writing positive_expected_result.json files...\n") + write_positive_expected_results(test_list) + + # 3. Write skipped queries report + print(f"\n{'='*60}") + print("Writing skipped queries report...\n") + write_skipped_queries_report(test_list) diff --git a/assets/queries/ansible/aws/alb_listening_on_http/test/positive_expected_result.json b/assets/queries/ansible/aws/alb_listening_on_http/test/positive_expected_result.json index 40450933989..eee3891c6b6 100644 --- a/assets/queries/ansible/aws/alb_listening_on_http/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/alb_listening_on_http/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", - "line": 11 + "line": 11, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "my_elb_application", + "searchKey": "name={{my_elb_application}}.{{community.aws.elb_application_lb}}.listeners.Protocol=HTTP", + "searchValue": "", + "expectedValue": "'aws_elb_application_lb' Protocol should be 'HTTP'", + "actualValue": "'aws_elb_application_lb' Protocol it's not 'HTTP'", + "issueType": "IncorrectValue" }, { "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", - "line": 29 + "line": 29, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "my_elb_application2", + "searchKey": "name={{my_elb_application2}}.{{community.aws.elb_application_lb}}.listeners", + "searchValue": "", + "expectedValue": "'aws_elb_application_lb' Protocol should be 'HTTP'", + "actualValue": "'aws_elb_application_lb' Protocol is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ami_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/ami_not_encrypted/test/positive_expected_result.json index d31968ad825..69cf2064ce3 100644 --- a/assets/queries/ansible/aws/ami_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ami_not_encrypted/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "AMI Not Encrypted", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_ami", + "resourceName": "Basic AMI Creation", + "searchKey": "name={{Basic AMI Creation}}.{{amazon.aws.ec2_ami}}.device_mapping.encrypted", + "searchValue": "", + "expectedValue": "ec2_ami.device_mapping.encrypted should be set to true", + "actualValue": "ec2_ami.device_mapping.encrypted is set to false", + "issueType": "IncorrectValue" }, { "queryName": "AMI Not Encrypted", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_ami", + "resourceName": "Basic AMI Creation2", + "searchKey": "name={{Basic AMI Creation2}}.{{amazon.aws.ec2_ami}}", + "searchValue": "", + "expectedValue": "ec2_ami.device_mapping.device_name.encrypted should be set to true", + "actualValue": "ec2_ami.device_mapping.device_name.encrypted is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json b/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json index 88b18dd84e1..5ccfb462013 100644 --- a/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "AMI Shared With Multiple Accounts", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_ami", + "resourceName": "Update AMI Launch Permissions, making it public", + "searchKey": "name={{Update AMI Launch Permissions, making it public}}.{{amazon.aws.ec2_ami}}.launch_permissions", + "searchValue": "", + "expectedValue": "ec2_ami.launch_permissions just allows one user to launch the AMI", + "actualValue": "ec2_ami.launch_permissions allows more than one user to launch the AMI", + "issueType": "IncorrectValue" }, { "queryName": "AMI Shared With Multiple Accounts", "severity": "MEDIUM", - "line": 11 + "line": 11, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_ami", + "resourceName": "Allow AMI to be launched by another account", + "searchKey": "name={{Allow AMI to be launched by another account}}.{{amazon.aws.ec2_ami}}.launch_permissions", + "searchValue": "", + "expectedValue": "ec2_ami.launch_permissions just allows one user to launch the AMI", + "actualValue": "ec2_ami.launch_permissions allows more than one user to launch the AMI", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json index 1ed39fc54bd..33d1cf1aa11 100644 --- a/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "API Gateway Endpoint Config is Not Private", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition}}.{{community.aws.aws_api_gateway}}.endpoint_type", + "searchValue": "", + "expectedValue": "'aws_api_gateway.endpoint_type' should be set to 'PRIVATE'", + "actualValue": "'aws_api_gateway.endpoint_type' is not 'PRIVATE'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json index aef74f95ba2..a8666a8002c 100644 --- a/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "API Gateway With CloudWatch Logging Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudwatchlogs_log_group", + "resourceName": "Setup AWS API Gateway setup on AWS cloudwatchlogs", + "searchKey": "name={{Setup AWS API Gateway setup on AWS cloudwatchlogs}}.{{community.aws.cloudwatchlogs_log_group}}", + "searchValue": "", + "expectedValue": "cloudwatchlogs_log_grouptracing_enabled should contain log_group_name", + "actualValue": "cloudwatchlogs_log_group does not contain log_group_name defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json index 9be124eee7b..10c174d16da 100644 --- a/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "community.aws.aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition}}.{{community.aws.aws_api_gateway}}.swagger_dict", + "searchValue": "", + "expectedValue": "'community.aws.aws_api_gateway.swagger_dict' should have an authorizer set", + "actualValue": "'community.aws.aws_api_gateway.swagger_dict' does not have a authorizer set", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 2, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition2", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition2}}.{{aws_api_gateway}}", + "searchValue": "", + "expectedValue": "'aws_api_gateway' should have swagger_file, swagger_text or swagger_dict set", + "actualValue": "'aws_api_gateway' does not have swagger_file, swagger_text or swagger_dict set", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 3, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API 222", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API 222}}.{{aws_api_gateway}}.swagger_file", + "searchValue": "", + "expectedValue": "'aws_api_gateway.swagger_file' should have an authorizer set", + "actualValue": "'aws_api_gateway.swagger_file' does not have a authorizer set", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 3, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API 222", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API 222}}.{{aws_api_gateway}}.swagger_text", + "searchValue": "", + "expectedValue": "'aws_api_gateway.swagger_text' should have an authorizer set", + "actualValue": "'aws_api_gateway.swagger_text' does not have a authorizer set", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json index 211045f9e04..931d0e61ad8 100644 --- a/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json @@ -1,25 +1,54 @@ [ - { - "queryName": "API Gateway Without SSL Certificate", - "severity": "MEDIUM", - "line": 6 - }, - - { - "queryName": "API Gateway Without SSL Certificate", - "severity": "MEDIUM", - "line": 8 - }, - - { - "queryName": "API Gateway Without SSL Certificate", - "severity": "MEDIUM", - "line": 21 - }, - - { - "queryName": "API Gateway Without SSL Certificate", - "severity": "MEDIUM", - "line": 23 - } + { + "queryName": "API Gateway Without SSL Certificate", + "severity": "MEDIUM", + "line": 6, + "filename": "positive.yaml", + "resourceType": "aws_api_gateway", + "resourceName": "update API", + "searchKey": "name={{update API}}.{{aws_api_gateway}}.validate_certs", + "searchValue": "", + "expectedValue": "aws_api_gateway.validate_certs should be set to yes", + "actualValue": "aws_api_gateway.validate_certs is not set to yes", + "issueType": "IncorrectValue" + }, + { + "queryName": "API Gateway Without SSL Certificate", + "severity": "MEDIUM", + "line": 8, + "filename": "positive.yaml", + "resourceType": "aws_api_gateway", + "resourceName": "update API v1", + "searchKey": "name={{update API v1}}.{{aws_api_gateway}}", + "searchValue": "", + "expectedValue": "aws_api_gateway.validate_certs should be set", + "actualValue": "aws_api_gateway.validate_certs is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "API Gateway Without SSL Certificate", + "severity": "MEDIUM", + "line": 21, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition}}.{{community.aws.aws_api_gateway}}.validate_certs", + "searchValue": "", + "expectedValue": "aws_api_gateway.validate_certs should be set to yes", + "actualValue": "aws_api_gateway.validate_certs is not set to yes", + "issueType": "IncorrectValue" + }, + { + "queryName": "API Gateway Without SSL Certificate", + "severity": "MEDIUM", + "line": 23, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition v1", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition v1}}.{{community.aws.aws_api_gateway}}", + "searchValue": "", + "expectedValue": "aws_api_gateway.validate_certs should be set", + "actualValue": "aws_api_gateway.validate_certs is undefined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/ansible/aws/api_gateway_without_waf/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_without_waf/test/positive_expected_result.json index 02ac980101b..dbc6106eccc 100644 --- a/assets/queries/ansible/aws/api_gateway_without_waf/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_without_waf/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "API Gateway without WAF", - "severity": "MEDIUM", - "line": 8, - "fileName": "positive.yaml" - } + { + "queryName": "API Gateway without WAF", + "severity": "MEDIUM", + "line": 8, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition2", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition2}}.{{community.aws.aws_api_gateway}}", + "searchValue": "", + "expectedValue": "API Gateway Stage should be associated with a Web Application Firewall", + "actualValue": "API Gateway Stage is not associated with a Web Application Firewall", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/ansible/aws/api_gateway_xray_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_xray_disabled/test/positive_expected_result.json index dbe97c3a028..6c3a1e117cf 100644 --- a/assets/queries/ansible/aws/api_gateway_xray_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_xray_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition}}.{{community.aws.aws_api_gateway}}.tracing_enabled", + "searchValue": "", + "expectedValue": "aws_api_gateway.tracing_enabled should be true", + "actualValue": "aws_api_gateway.tracing_enabled is false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_api_gateway", + "resourceName": "Update API definition to deploy new version", + "searchKey": "name={{Update API definition to deploy new version}}.{{community.aws.aws_api_gateway}}", + "searchValue": "", + "expectedValue": "aws_api_gateway.tracing_enabled should be defined", + "actualValue": "aws_api_gateway.tracing_enabled is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/authentication_without_mfa/test/positive_expected_result.json b/assets/queries/ansible/aws/authentication_without_mfa/test/positive_expected_result.json index 27bfe61de31..2a9684ddf6d 100644 --- a/assets/queries/ansible/aws/authentication_without_mfa/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/authentication_without_mfa/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Authentication Without MFA", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.sts_assume_role", + "resourceName": "Assume an existing role", + "searchKey": "name={{Assume an existing role}}.{{community.aws.sts_assume_role}}", + "searchValue": "mfa_token", + "expectedValue": "sts_assume_role.mfa_token should be set", + "actualValue": "sts_assume_role.mfa_token is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Authentication Without MFA", "severity": "LOW", - "line": 9 + "line": 9, + "filename": "positive.yaml", + "resourceType": "sts_assume_role", + "resourceName": "Hello", + "searchKey": "name={{Hello}}.{{sts_assume_role}}", + "searchValue": "mfa_serial_number", + "expectedValue": "sts_assume_role.mfa_serial_number should be set", + "actualValue": "sts_assume_role.mfa_serial_number is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Authentication Without MFA", "severity": "LOW", - "line": 9 + "line": 9, + "filename": "positive.yaml", + "resourceType": "sts_assume_role", + "resourceName": "Hello", + "searchKey": "name={{Hello}}.{{sts_assume_role}}", + "searchValue": "mfa_token", + "expectedValue": "sts_assume_role.mfa_token should be set", + "actualValue": "sts_assume_role.mfa_token is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json b/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json index ba9b8c747ce..b61f3437eea 100644 --- a/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "community.aws.ec2_asg", + "resourceName": "elb1", + "searchKey": "name={{elb1}}.{{community.aws.ec2_asg}}.load_balancers", + "searchValue": "", + "expectedValue": "community.aws.ec2_asg.load_balancers should not be empty", + "actualValue": "community.aws.ec2_asg.load_balancers is empty", + "issueType": "IncorrectValue" }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 2, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "ec2_asg", + "resourceName": "elb2", + "searchKey": "name={{elb2}}.{{ec2_asg}}", + "searchValue": "", + "expectedValue": "ec2_asg.load_balancers should be set and not empty", + "actualValue": "ec2_asg.load_balancers is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json index 2cff287eee5..19e542b441f 100644 --- a/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "community - create minimal aurora instance in default VPC and default subnet group", + "searchKey": "name={{community - create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.auto_minor_version_upgrade", + "searchValue": "", + "expectedValue": "rds_instance.auto_minor_version_upgrade should be true", + "actualValue": "rds_instance.auto_minor_version_upgrade is false", + "issueType": "IncorrectValue" }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "community - Create a DB instance using the default AWS KMS encryption key", + "searchKey": "name={{community - Create a DB instance using the default AWS KMS encryption key}}.{{community.aws.rds_instance}}", + "searchValue": "", + "expectedValue": "rds_instance.auto_minor_version_upgrade should be set", + "actualValue": "rds_instance.auto_minor_version_upgrade is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json b/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json index 858725018b5..38162f7b664 100644 --- a/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "AWS Password Policy With Unchangeable Passwords", "severity": "LOW", - "line": 9 + "line": 9, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Password policy for AWS account", + "searchKey": "name={{Password policy for AWS account}}.{{community.aws.iam_password_policy}}.allow_pw_change", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'allow_pw_change/allow_password_change' true", + "actualValue": "iam_password_policy has the property 'allow_pw_change/allow_password_change' undefined or false", + "issueType": "IncorrectValue" }, { "queryName": "AWS Password Policy With Unchangeable Passwords", "severity": "LOW", - "line": 21 + "line": 21, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Alias Password policy for AWS account", + "searchKey": "name={{Alias Password policy for AWS account}}.{{community.aws.iam_password_policy}}.allow_password_change", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'allow_pw_change/allow_password_change' true", + "actualValue": "iam_password_policy has the property 'allow_pw_change/allow_password_change' undefined or false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json b/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json index f1d91515e25..eebb5df47c1 100644 --- a/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ { - "line": 9, "queryName": "Batch Job Definition With Privileged Container Properties", - "severity": "HIGH" + "severity": "HIGH", + "line": 9, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_batch_job_definition", + "resourceName": "My Batch Job Definition", + "searchKey": "name={{My Batch Job Definition}}.{{community.aws.aws_batch_job_definition}}.privileged", + "searchValue": "", + "expectedValue": "name={{My Batch Job Definition}}.{{community.aws.aws_batch_job_definition}}.privileged should be set to 'false' or not set", + "actualValue": "name={{My Batch Job Definition}}.{{community.aws.aws_batch_job_definition}}.privileged is 'true'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json b/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json index 222b4d17cd8..5e478c6189e 100644 --- a/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "CA Certificate Identifier Is Outdated", "severity": "MEDIUM", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.ca_certificate_identifier", + "searchValue": "", + "expectedValue": "rds_instance.ca_certificate_identifier should equal to 'rds-ca-2019'", + "actualValue": "rds_instance.ca_certificate_identifier is not equal to 'rds-ca-2019'", + "issueType": "IncorrectValue" }, { "queryName": "CA Certificate Identifier Is Outdated", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create a DB instance using the default AWS KMS encryption key", + "searchKey": "name={{create a DB instance using the default AWS KMS encryption key}}.{{community.aws.rds_instance}}", + "searchValue": "", + "expectedValue": "rds_instance.ca_certificate_identifier should be defined", + "actualValue": "rds_instance.ca_certificate_identifier is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cdn_configuration_is_missing/test/positive_expected_result.json b/assets/queries/ansible/aws/cdn_configuration_is_missing/test/positive_expected_result.json index b448a833b84..17cca5753af 100644 --- a/assets/queries/ansible/aws/cdn_configuration_is_missing/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cdn_configuration_is_missing/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a distribution without an origin and with enabled=false", + "searchKey": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}", + "searchValue": "origins", + "expectedValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.origins should be defined", + "actualValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.origins is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 23 + "line": 23, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a distribution without an origin and with enabled=false", + "searchKey": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.enabled", + "searchValue": "", + "expectedValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.enabled should be set to 'true'", + "actualValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.enabled is set to 'false'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/certificate_has_expired/test/positive_expected_result.json b/assets/queries/ansible/aws/certificate_has_expired/test/positive_expected_result.json index 58dbbac7544..724fcb75976 100644 --- a/assets/queries/ansible/aws/certificate_has_expired/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/certificate_has_expired/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Certificate Has Expired", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_acm", + "resourceName": "upload a self-signed certificate", + "searchKey": "name={{upload a self-signed certificate}}.community.aws.aws_acm.certificate", + "searchValue": "", + "expectedValue": "'community.aws.aws_acm.certificate' should not have expired", + "actualValue": "'community.aws.aws_acm.certificate' has expired", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json b/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json index 26c7b277c74..4713a5648bc 100644 --- a/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Certificate RSA Key Bytes Lower Than 256", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_acm", + "resourceName": "upload a self-signed certificate", + "searchKey": "name={{upload a self-signed certificate}}.community.aws.aws_acm.certificate", + "searchValue": "", + "expectedValue": "'community.aws.aws_acm.certificate' should use a RSA key with a length equal to or higher than 256 bytes", + "actualValue": "'community.aws.aws_acm.certificate' does not use a RSA key with a length equal to or higher than 256 bytes", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json index 45d5f284ccf..1fb9b9e1bbf 100644 --- a/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a distribution with an origin, logging and default cache behavior", + "searchKey": "name={{create a distribution with an origin, logging and default cache behavior}}.{{community.aws.cloudfront_distribution}}", + "searchValue": "", + "expectedValue": "cloudfront_distribution.logging should be defined", + "actualValue": "cloudfront_distribution.logging is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 62 + "line": 62, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a second distribution with an origin, logging and default cache behavior", + "searchKey": "name={{create a second distribution with an origin, logging and default cache behavior}}.{{community.aws.cloudfront_distribution}}.logging.enabled", + "searchValue": "", + "expectedValue": "cloudfront_distribution.logging.enabled should be true", + "actualValue": "cloudfront_distribution.logging.enabled is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json index f5d18279262..52b68d190ac 100644 --- a/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 18 + "line": 18, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a distribution with an origin and logging", + "searchKey": "name={{create a distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version", + "searchValue": "", + "expectedValue": "name={{create a distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version' should be TLSv1.2_x", + "actualValue": "name={{create a distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version' is TLSv1", + "issueType": "IncorrectValue" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 37 + "line": 37, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create another distribution with an origin and logging", + "searchKey": "name={{create another distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version", + "searchValue": "", + "expectedValue": "name={{create another distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version' should be TLSv1.2_x", + "actualValue": "name={{create another distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version' is TLSv1.1_2016", + "issueType": "IncorrectValue" }, { - "line": 40, "queryName": "CloudFront Without Minimum Protocol TLS 1.2", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 40, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a third distribution", + "searchKey": "name={{create a third distribution}}.{{community.aws.cloudfront_distribution}}", + "searchValue": "", + "expectedValue": "cloudfront_distribution.viewer_certificate should be defined", + "actualValue": "cloudfront_distribution.viewer_certificate is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json index f4dbbfce596..b4d32bc1d60 100644 --- a/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "CloudFront Without WAF", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a basic distribution with defaults and tags", + "searchKey": "name={{create a basic distribution with defaults and tags}}.{{community.aws.cloudfront_distribution}}", + "searchValue": "", + "expectedValue": "cloudfront_distribution.web_acl_id should be defined", + "actualValue": "cloudfront_distribution.web_acl_id is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json index 4e971a4b33b..9e398a7ca80 100644 --- a/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "create multi-region trail with validation and tags", + "searchKey": "name={{create multi-region trail with validation and tags}}.{{community.aws.cloudtrail}}", + "searchValue": "", + "expectedValue": "cloudtrail.enable_log_file_validation or cloudtrail.log_file_validation_enabled should be defined", + "actualValue": "cloudtrail.enable_log_file_validation and cloudtrail.log_file_validation_enabled are undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", - "line": 21 + "line": 21, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "create multi-region trail with validation and tags v7", + "searchKey": "name={{create multi-region trail with validation and tags v7}}.{{community.aws.cloudtrail}}.enable_log_file_validation", + "searchValue": "", + "expectedValue": "cloudtrail.enable_log_file_validation should be set to true or yes", + "actualValue": "cloudtrail.enable_log_file_validation is not set to true nor yes", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json index f8ba4b8005d..aa69cdc13d7 100644 --- a/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "no sns topic name", + "searchKey": "name={{no sns topic name}}.{{community.aws.cloudtrail}}", + "searchValue": "", + "expectedValue": "cloudtrail.kms_key_id should be set", + "actualValue": "cloudtrail.kms_key_id is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/ansible/aws/cloudtrail_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_logging_disabled/test/positive_expected_result.json index 8e57b93dc88..f9a5b330745 100644 --- a/assets/queries/ansible/aws/cloudtrail_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_logging_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "example", + "searchKey": "name={{example}}.{{community.aws.cloudtrail}}.enable_logging", + "searchValue": "", + "expectedValue": "cloudtrail.enable_logging should be true", + "actualValue": "cloudtrail.enable_logging is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json index f69ea5b8494..4e863eb7f09 100644 --- a/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "example1", + "searchKey": "name={{example1}}.{{community.aws.cloudtrail}}.is_multi_region_trail", + "searchValue": "", + "expectedValue": "cloudtrail.is_multi_region_trail should be true", + "actualValue": "cloudtrail.is_multi_region_trail is false", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", - "line": 18 + "line": 18, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "example2", + "searchKey": "name={{example2}}.{{community.aws.cloudtrail}}", + "searchValue": "", + "expectedValue": "cloudtrail.is_multi_region_trail should be defined and set to true", + "actualValue": "cloudtrail.is_multi_region_trail is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json index 1a0aa93a791..3d723a3226b 100644 --- a/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json @@ -1,22 +1,54 @@ [ { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 2, - "queryName": "CloudTrail Not Integrated With CloudWatch" + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "positive1", + "searchKey": "name={{positive1}}.{{community.aws.cloudtrail}}", + "searchValue": "cloudwatch_logs_log_group_arn", + "expectedValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn should be defined", + "actualValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn is not defined", + "issueType": "MissingAttribute" }, { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 2, - "queryName": "CloudTrail Not Integrated With CloudWatch" + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "positive1", + "searchKey": "name={{positive1}}.{{community.aws.cloudtrail}}", + "searchValue": "cloudwatch_logs_role_arn", + "expectedValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn should be defined", + "actualValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", - "line": 14 + "line": 14, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "positive2", + "searchKey": "name={{positive2}}.{{community.aws.cloudtrail}}", + "searchValue": "cloudwatch_logs_log_group_arn", + "expectedValue": "name={{positive2}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn should be defined", + "actualValue": "name={{positive2}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", - "line": 27 + "line": 27, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "positive3", + "searchKey": "name={{positive3}}.{{community.aws.cloudtrail}}", + "searchValue": "cloudwatch_logs_role_arn", + "expectedValue": "name={{positive3}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn should be defined", + "actualValue": "name={{positive3}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json index 85466e93e7a..3c17f3729be 100644 --- a/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "no sns topic name", + "searchKey": "name={{no sns topic name}}.{{community.aws.cloudtrail}}", + "searchValue": "", + "expectedValue": "cloudtrail.sns_topic_name should be set", + "actualValue": "cloudtrail.sns_topic_name is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", - "line": 15 + "line": 15, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "sns topic name defined", + "searchKey": "name={{sns topic name defined}}.{{community.aws.cloudtrail}}.sns_topic_name", + "searchValue": "", + "expectedValue": "cloudtrail.sns_topic_name should be set", + "actualValue": "cloudtrail.sns_topic_name is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json index 09180c09cd9..37626107eba 100644 --- a/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudwatchlogs_log_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{community.aws.cloudwatchlogs_log_group}}", + "searchValue": "", + "expectedValue": "cloudwatchlogs_log_group.retention should be set", + "actualValue": "cloudwatchlogs_log_group.retention is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudwatchlogs_log_group", + "resourceName": "example2 ec2 group", + "searchKey": "name={{example2 ec2 group}}.{{community.aws.cloudwatchlogs_log_group}}.retention", + "searchValue": "", + "expectedValue": "cloudwatchlogs_log_group.retention should be set and valid", + "actualValue": "cloudwatchlogs_log_group.retention is set and invalid", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cmk_is_unusable/test/positive_expected_result.json b/assets/queries/ansible/aws/cmk_is_unusable/test/positive_expected_result.json index e29e5d54553..8f31773b2d4 100644 --- a/assets/queries/ansible/aws/cmk_is_unusable/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cmk_is_unusable/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "CMK Is Unusable", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "community.aws.aws_kms", + "resourceName": "Update IAM policy on an existing KMS key1", + "searchKey": "name={{Update IAM policy on an existing KMS key1}}.{{community.aws.aws_kms}}.enabled", + "searchValue": "", + "expectedValue": "community.aws.aws_kms.enabled should be set to true", + "actualValue": "community.aws.aws_kms.enabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "CMK Is Unusable", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "community.aws.aws_kms", + "resourceName": "Update IAM policy on an existing KMS key2", + "searchKey": "name={{Update IAM policy on an existing KMS key2}}.{{community.aws.aws_kms}}.pending_window", + "searchValue": "", + "expectedValue": "community.aws.aws_kms.pending_window should be undefined", + "actualValue": "community.aws.aws_kms.pending_windowis is set", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/cmk_rotation_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cmk_rotation_disabled/test/positive_expected_result.json index 1515aadbc47..3bbb7ca7453 100644 --- a/assets/queries/ansible/aws/cmk_rotation_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cmk_rotation_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 2, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "community.aws.aws_kms", + "resourceName": "Update IAM policy on an existing KMS key", + "searchKey": "name={{Update IAM policy on an existing KMS key}}.{{community.aws.aws_kms}}", + "searchValue": "", + "expectedValue": "community.aws.aws_kms.enable_key_rotation should be set", + "actualValue": "community.aws.aws_kms.enable_key_rotation is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 7, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "community.aws.aws_kms", + "resourceName": "Update IAM policy on an existing KMS key2", + "searchKey": "name={{Update IAM policy on an existing KMS key2}}.{{community.aws.aws_kms}}.enable_key_rotation", + "searchValue": "", + "expectedValue": "community.aws.aws_kms.enable_key_rotation should be set to true", + "actualValue": "community.aws.aws_kms.enable_key_rotation is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/codebuild_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/codebuild_not_encrypted/test/positive_expected_result.json index 73a4efdc353..4694bacbd91 100644 --- a/assets/queries/ansible/aws/codebuild_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/codebuild_not_encrypted/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "CodeBuild Not Encrypted", - "severity": "MEDIUM", - "line": 2 - } - + { + "queryName": "CodeBuild Not Encrypted", + "severity": "MEDIUM", + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_codebuild", + "resourceName": "My project", + "searchKey": "name={{My project}}.{{community.aws.aws_codebuild}}", + "searchValue": "", + "expectedValue": "aws_codebuild.encryption_key should be set", + "actualValue": "aws_codebuild.encryption_key is undefined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json index db2fb69850e..e33de52798b 100644 --- a/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_config_aggregator", + "resourceName": "Create cross-account aggregator", + "searchKey": "name={{Create cross-account aggregator}}.{{community.aws.aws_config_aggregator}}.account_sources.all_aws_regions", + "searchValue": "", + "expectedValue": "'aws_config_aggregator.account_sources' should have all_aws_regions set to true", + "actualValue": "'aws_config_aggregator.account_sources' has all_aws_regions set to false", + "issueType": "IncorrectValue" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 24 + "line": 24, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_config_aggregator", + "resourceName": "Create cross-account aggregator2", + "searchKey": "name={{Create cross-account aggregator2}}.{{community.aws.aws_config_aggregator}}.organization_source.all_aws_regions", + "searchValue": "", + "expectedValue": "'aws_config_aggregator.organization_source' should have all_aws_regions set to true", + "actualValue": "'aws_config_aggregator.organization_source' has all_aws_regions set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json index 8310f19905b..000336cb7cf 100644 --- a/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Config Rule For Encrypted Volumes Disabled", "severity": "HIGH", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.aws_config_rule", + "resourceName": "foo", + "searchKey": "name={{foo}}", + "searchValue": "", + "expectedValue": "There should be a aws_config_rule with source.identifier equal to 'ENCRYPTED_VOLUMES'", + "actualValue": "There is no aws_config_rule with source.identifier equal to 'ENCRYPTED_VOLUMES'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json b/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json index a68d8c5122c..df423ae55ff 100644 --- a/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "community.aws.iam_role", + "resourceName": "Create a role with description and tags", + "searchKey": "name={{Create a role with description and tags}}.{{community.aws.iam_role}}.assume_role_policy_document", + "searchValue": "", + "expectedValue": "assume_role_policy_document should not contain ':root", + "actualValue": "assume_role_policy_document contains ':root'", + "issueType": "IncorrectValue" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "community.aws.iam_role", + "resourceName": "Create a role with description and tags2", + "searchKey": "name={{Create a role with description and tags2}}.{{community.aws.iam_role}}.assume_role_policy_document", + "searchValue": "", + "expectedValue": "assume_role_policy_document should not contain ':root", + "actualValue": "assume_role_policy_document contains ':root'", + "issueType": "IncorrectValue" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "community.aws.iam_role", + "resourceName": "Create a role with description and tags3", + "searchKey": "name={{Create a role with description and tags3}}.{{community.aws.iam_role}}.assume_role_policy_document", + "searchValue": "", + "expectedValue": "assume_role_policy_document should not contain ':root", + "actualValue": "assume_role_policy_document contains ':root'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json index 3f8f176a5fa..8b3bccb76e0 100644 --- a/assets/queries/ansible/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json @@ -1,17 +1,41 @@ [ - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 7 - }, - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 17 - }, - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 23 - } + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 7, + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "foo", + "searchKey": "name={{foo}}.{{community.aws.rds_instance}}.storage_encrypted", + "searchValue": "", + "expectedValue": "rds_instance.storage_encrypted should be set to true", + "actualValue": "rds_instance.storage_encrypted is set to false", + "issueType": "IncorrectValue" + }, + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 17, + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "foo2", + "searchKey": "name={{foo2}}.{{community.aws.rds_instance}}.storage_encrypted", + "searchValue": "", + "expectedValue": "rds_instance.storage_encrypted should be set to true", + "actualValue": "rds_instance.storage_encrypted is set to false", + "issueType": "IncorrectValue" + }, + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 23, + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{community.aws.rds_instance}}", + "searchValue": "", + "expectedValue": "rds_instance.storage_encrypted should be set to true", + "actualValue": "rds_instance.storage_encrypted is undefined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/ansible/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json b/assets/queries/ansible/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json index 0c0d773c5d5..db1cb448fbf 100644 --- a/assets/queries/ansible/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 22 + "line": 22, + "filename": "positive.yaml", + "resourceType": "ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{ec2_group}}.rules.cidr_ip", + "searchValue": "", + "expectedValue": "'ec2_group.rules.cidr_ip' should be one of [10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12]", + "actualValue": "'ec2_group.rules.cidr_ip' is [0.0.0.0/0,10.0.0.0/8,192.168.1.0/24]", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/db_security_group_with_public_scope/test/positive_expected_result.json b/assets/queries/ansible/aws/db_security_group_with_public_scope/test/positive_expected_result.json index dc66872abf9..87ba37aca1e 100644 --- a/assets/queries/ansible/aws/db_security_group_with_public_scope/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/db_security_group_with_public_scope/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 22 + "line": 22, + "filename": "positive.yaml", + "resourceType": "ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{ec2_group}}.rules.cidr_ip", + "searchValue": "", + "expectedValue": "'ec2_group.rules.cidr_ip' should be one of [10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12]", + "actualValue": "'ec2_group.rules.cidr_ip' is [0.0.0.0/0]", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 53 + "line": 53, + "filename": "positive.yaml", + "resourceType": "ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{ec2_group}}.rules_egress.cidr_ip", + "searchValue": "", + "expectedValue": "'ec2_group.rules_egress.cidr_ip' should be one of [10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12]", + "actualValue": "'ec2_group.rules_egress.cidr_ip' is [0.0.0.0/0]", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json b/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json index fbf9d83dbd4..9afb56300a3 100644 --- a/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 17 + "line": 17, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules.cidr_ip.{{0.0.0.0/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules.cidr_ip should not contain the value '0.0.0.0/0'", + "actualValue": "ec2_group.rules.cidr_ip contains value '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 30 + "line": 30, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example2 ec2 group", + "searchKey": "name={{example2 ec2 group}}.{{amazon.aws.ec2_group}}.rules_egress.cidr_ip={{0.0.0.0/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules_egress.cidr_ip should not contain the value '0.0.0.0/0'", + "actualValue": "ec2_group.rules_egress.cidr_ip contains value '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 48 + "line": 48, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example3 ec2 group", + "searchKey": "name={{example3 ec2 group}}.{{amazon.aws.ec2_group}}.rules.cidr_ipv6={{::/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules.cidr_ipv6 should not contain the value '::/0'", + "actualValue": "ec2_group.rules.cidr_ipv6 contains value '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 61 + "line": 61, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example4 ec2 group", + "searchKey": "name={{example4 ec2 group}}.{{amazon.aws.ec2_group}}.rules_egress.cidr_ipv6={{::/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules_egress.cidr_ipv6 should not contain the value '::/0'", + "actualValue": "ec2_group.rules_egress.cidr_ipv6 contains value '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 83 + "line": 83, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example5 ec2 group", + "searchKey": "name={{example5 ec2 group}}.{{amazon.aws.ec2_group}}.rules_egress.cidr_ipv6.{{::/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules_egress.cidr_ipv6 should not contain the value '::/0'", + "actualValue": "ec2_group.rules_egress.cidr_ipv6 contains value '::/0'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json index 7c506eb099d..788da35806c 100644 --- a/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json @@ -2,21 +2,53 @@ { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", - "line": 5 + "line": 5, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_vol", + "resourceName": "Creating EBS volume01", + "searchKey": "name={{Creating EBS volume01}}.{{amazon.aws.ec2_vol}}.encrypted", + "searchValue": "", + "expectedValue": "ec2_vol.encrypted should be enabled", + "actualValue": "ec2_vol.encrypted is disabled", + "issueType": "IncorrectValue" }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_vol", + "resourceName": "Creating EBS volume02", + "searchKey": "name={{Creating EBS volume02}}.{{amazon.aws.ec2_vol}}.encrypted", + "searchValue": "", + "expectedValue": "ec2_vol.encrypted should be enabled", + "actualValue": "ec2_vol.encrypted is disabled", + "issueType": "IncorrectValue" }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", - "line": 19 + "line": 19, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_vol", + "resourceName": "Creating EBS volume03", + "searchKey": "name={{Creating EBS volume03}}.{{amazon.aws.ec2_vol}}.encrypted", + "searchValue": "", + "expectedValue": "ec2_vol.encrypted should be enabled", + "actualValue": "ec2_vol.encrypted is disabled", + "issueType": "IncorrectValue" }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", - "line": 24 + "line": 24, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_vol", + "resourceName": "Creating EBS volume04", + "searchKey": "name={{Creating EBS volume04}}.{{amazon.aws.ec2_vol}}", + "searchValue": "", + "expectedValue": "ec2_vol.encrypted should be defined", + "actualValue": "ec2_vol.encrypted is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ec2_group_has_public_interface/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_group_has_public_interface/test/positive_expected_result.json index 422c66bd094..8fab0f56bf5 100644 --- a/assets/queries/ansible/aws/ec2_group_has_public_interface/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ec2_group_has_public_interface/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "EC2 Group Has Public Interface", - "severity": "HIGH", - "line": 22, - "fileName": "positive.yaml" - } + { + "queryName": "EC2 Group Has Public Interface", + "severity": "HIGH", + "line": 22, + "filename": "positive.yaml", + "resourceType": "ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{ec2_group}}.rules.cidr_ip", + "searchValue": "", + "expectedValue": "'ec2_group.rules.cidr_ip' should not be 0.0.0.0/0", + "actualValue": "'ec2_group.rules.cidr_ip' is 0.0.0.0/0", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/positive_expected_result.json index a9c99cf8b4d..761c9b06d66 100644 --- a/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "example", + "searchKey": "name={{example}}.{{amazon.aws.ec2}}.assign_public_ip", + "searchValue": "", + "expectedValue": "ec2.assign_public_ip should be set to false, 'no' or undefined", + "actualValue": "ec2.assign_public_ip is 'yes'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive.yaml", + "resourceType": "community.aws.ec2_launch_template", + "resourceName": "Create an ec2 launch template", + "searchKey": "name={{Create an ec2 launch template}}.{{community.aws.ec2_launch_template}}.network_interfaces.associate_public_ip_address", + "searchValue": "", + "expectedValue": "ec2_launch_template.network_interfaces.associate_public_ip_address should be set to false, 'no' or undefined", + "actualValue": "ec2_launch_template.network_interfaces.associate_public_ip_address is 'true'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", - "line": 24 + "line": 24, + "filename": "positive.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with a public IP address", + "searchKey": "name={{start an instance with a public IP address}}.{{community.aws.ec2_instance}}.network.assign_public_ip", + "searchValue": "", + "expectedValue": "ec2_instance.network.assign_public_ip should be set to false, 'no' or undefined", + "actualValue": "ec2_instance.network.assign_public_ip is 'true'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json index 0d4b8742ab6..e2e7eab9801 100644 --- a/assets/queries/ansible/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "EC2 Instance Using Default Security Group", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "example", + "searchKey": "name={{example}}.{{amazon.aws.ec2}}.group", + "searchValue": "", + "expectedValue": "'group' should not be using default security group", + "actualValue": "'group' is using default security group", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Using Default Security Group", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "example2", + "searchKey": "name={{example2}}.{{amazon.aws.ec2}}.group", + "searchValue": "", + "expectedValue": "'group' should not be using default security group", + "actualValue": "'group' is using default security group", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json index 8007e2c024b..21823e51916 100644 --- a/assets/queries/ansible/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "EC2 Instance Using Default VPC", - "severity": "LOW", - "line": 8, - "fileName": "positive.yaml" - } + { + "queryName": "EC2 Instance Using Default VPC", + "severity": "LOW", + "line": 8, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "example", + "searchKey": "name={{example}}.{{amazon.aws.ec2}}.vpc_subnet_id", + "searchValue": "", + "expectedValue": "'vpc_subnet_id' should not be associated with a default VPC", + "actualValue": "'vpc_subnet_id' is associated with a default VPC", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/positive_expected_result.json index d41d61c38f5..115f5072b7a 100644 --- a/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 2, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "example", + "searchKey": "name={{example}}.{{amazon.aws.ec2}}", + "searchValue": "", + "expectedValue": "ec2 to have ebs_optimized set to true.", + "actualValue": "ec2 doesn't have ebs_optimized set to true.", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 10, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "example2", + "searchKey": "name={{example2}}.{{amazon.aws.ec2}}.ebs_optimized", + "searchValue": "", + "expectedValue": "ec2 to have ebs_optimized set to true.", + "actualValue": "ec2 ebs_optimized is set to false.", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 2, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "example3", + "searchKey": "name={{example3}}.{{amazon.aws.ec2}}", + "searchValue": "", + "expectedValue": "ec2 to have ebs_optimized set to true.", + "actualValue": "ec2 doesn't have ebs_optimized set to true.", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/ansible/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json b/assets/queries/ansible/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json index 738ab12a4ba..fb8e2352f40 100644 --- a/assets/queries/ansible/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json @@ -1,13 +1,28 @@ [ - { - "queryName": "ECR Image Tag Not Immutable", - "severity": "MEDIUM", - "line": 2 - }, - - { - "queryName": "ECR Image Tag Not Immutable", - "severity": "MEDIUM", - "line": 7 - } + { + "queryName": "ECR Image Tag Not Immutable", + "severity": "MEDIUM", + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.ecs_ecr", + "resourceName": "create immutable ecr-repo", + "searchKey": "name={{create immutable ecr-repo}}.{{community.aws.ecs_ecr}}", + "searchValue": "", + "expectedValue": "ecs_ecr.image_tag_mutability should be set ", + "actualValue": "ecs_ecr.image_tag_mutability is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "ECR Image Tag Not Immutable", + "severity": "MEDIUM", + "line": 7, + "filename": "positive.yaml", + "resourceType": "community.aws.ecs_ecr", + "resourceName": "create immutable ecr-repo v2", + "searchKey": "name={{create immutable ecr-repo v2}}.{{community.aws.ecs_ecr}}.image_tag_mutability", + "searchValue": "", + "expectedValue": "ecs_ecr.image_tag_mutability should be set to 'immutable'", + "actualValue": "ecs_ecr.image_tag_mutability is not set to 'immutable'", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json index 5676de08d61..79b3284fe2d 100644 --- a/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "ECR Repository Is Publicly Accessible", "severity": "CRITICAL", - "line": 4 + "line": 4, + "filename": "positive.yaml", + "resourceType": "community.aws.ecs_ecr", + "resourceName": "set-policy as object", + "searchKey": "name={{set-policy as object}}.{{community.aws.ecs_ecr}}.policy", + "searchValue": "", + "expectedValue": "ecs_ecr.policy.Principal should not equal to '*'", + "actualValue": "ecs_ecr.policy.Principal is equal to '*'", + "issueType": "IncorrectValue" }, { "queryName": "ECR Repository Is Publicly Accessible", "severity": "CRITICAL", - "line": 17 + "line": 17, + "filename": "positive.yaml", + "resourceType": "community.aws.ecs_ecr", + "resourceName": "set-policy as string", + "searchKey": "name={{set-policy as string}}.{{community.aws.ecs_ecr}}.policy", + "searchValue": "", + "expectedValue": "ecs_ecr.policy.Principal should not equal to '*'", + "actualValue": "ecs_ecr.policy.Principal is equal to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json b/assets/queries/ansible/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json index 0b9e1c22307..6be84b41416 100644 --- a/assets/queries/ansible/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "ECS Service Admin Role Is Present", - "severity": "HIGH", - "line": 9 - } + { + "queryName": "ECS Service Admin Role Is Present", + "severity": "HIGH", + "line": 9, + "filename": "positive.yaml", + "resourceType": "community.aws.ecs_service", + "resourceName": "ECS Service", + "searchKey": "name={{ECS Service}}.{{community.aws.ecs_service}}.role", + "searchValue": "", + "expectedValue": "ecs_service.role should not be an admin role", + "actualValue": "ecs_service.role is an admin role", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/aws/ecs_service_without_running_tasks/test/positive_expected_result.json b/assets/queries/ansible/aws/ecs_service_without_running_tasks/test/positive_expected_result.json index b8fd110dab6..97c2f7ad16b 100644 --- a/assets/queries/ansible/aws/ecs_service_without_running_tasks/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecs_service_without_running_tasks/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "ECS Service Without Running Tasks", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.ecs_service", + "resourceName": "ECS Service", + "searchKey": "name={{ECS Service}}.{{community.aws.ecs_service}}", + "searchValue": "", + "expectedValue": "community.aws.ecs_service.deployment_configuration should be defined", + "actualValue": "%!&(string=community.aws.ecs_service)s.deployment_configuration is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json b/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json index a40ef0f6b38..5c8e83eb565 100644 --- a/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { + "queryName": "ECS Services assigned with public IP address", "severity": "MEDIUM", "line": 19, - "queryName": "ECS Services assigned with public IP address", - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "community.aws.ecs_service", + "resourceName": "Create ECS service with network configuration", + "searchKey": "name={{Create ECS service with network configuration}}.{{community.aws.ecs_service}}.network_configuration.assign_public_ip", + "searchValue": "", + "expectedValue": "'community.aws.ecs_service.network_configuration.assign_public_ip' should be set to false (default value is false)", + "actualValue": "'community.aws.ecs_service.network_configuration.assign_public_ip' is set to true", + "issueType": "IncorrectValue" }, { + "queryName": "ECS Services assigned with public IP address", "severity": "MEDIUM", "line": 19, - "queryName": "ECS Services assigned with public IP address", - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "ecs_service", + "resourceName": "Create ECS service with network configuration", + "searchKey": "name={{Create ECS service with network configuration}}.{{ecs_service}}.network_configuration.assign_public_ip", + "searchValue": "", + "expectedValue": "'ecs_service.network_configuration.assign_public_ip' should be set to false (default value is false)", + "actualValue": "'ecs_service.network_configuration.assign_public_ip' is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json b/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json index 84a0f173861..864a8623528 100644 --- a/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "ECS Task Definition Network Mode Not Recommended", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive.yaml", + "resourceType": "community.aws.ecs_taskdefinition", + "resourceName": "Create task definition", + "searchKey": "name={{Create task definition}}.{{community.aws.ecs_taskdefinition}}.network_mode", + "searchValue": "", + "expectedValue": "'ecs_taskdefinition.network_mode' should be set to 'awsvpc'", + "actualValue": "'ecs_taskdefinition.network_mode' is 'default'", + "issueType": "IncorrectValue" }, { "queryName": "ECS Task Definition Network Mode Not Recommended", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.yaml", + "resourceType": "community.aws.ecs_taskdefinition", + "resourceName": "Create task definition2", + "searchKey": "name={{Create task definition2}}.{{community.aws.ecs_taskdefinition}}.network_mode", + "searchValue": "", + "expectedValue": "'ecs_taskdefinition.network_mode' should be set to 'awsvpc'", + "actualValue": "'ecs_taskdefinition.network_mode' is 'none'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/efs_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/efs_not_encrypted/test/positive_expected_result.json index 970263b7fe3..17a04dcff11 100644 --- a/assets/queries/ansible/aws/efs_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/efs_not_encrypted/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "community.aws.efs", + "resourceName": "foo", + "searchKey": "name={{foo}}.{{community.aws.efs}}.encrypt", + "searchValue": "", + "expectedValue": "efs.encrypt should be set to true", + "actualValue": "efs.encrypt is set to false", + "issueType": "IncorrectValue" }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 17 + "line": 17, + "filename": "positive.yaml", + "resourceType": "community.aws.efs", + "resourceName": "foo2", + "searchKey": "name={{foo2}}.{{community.aws.efs}}.encrypt", + "searchValue": "", + "expectedValue": "efs.encrypt should be set to true", + "actualValue": "efs.encrypt is set to false", + "issueType": "IncorrectValue" }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 25 + "line": 25, + "filename": "positive.yaml", + "resourceType": "community.aws.efs", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{community.aws.efs}}", + "searchValue": "", + "expectedValue": "efs.encrypt should be set to true", + "actualValue": "efs.encrypt is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/ansible/aws/efs_without_kms/test/positive_expected_result.json b/assets/queries/ansible/aws/efs_without_kms/test/positive_expected_result.json index 8995f772a8e..1fc27f50a33 100644 --- a/assets/queries/ansible/aws/efs_without_kms/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/efs_without_kms/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "EFS Without KMS", "severity": "LOW", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "community.aws.efs", + "resourceName": "foo", + "searchKey": "name={{foo}}.{{community.aws.efs}}", + "searchValue": "", + "expectedValue": "efs.kms_key_id should be set", + "actualValue": "efs.kms_key_id is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/efs_without_tags/test/positive_expected_result.json b/assets/queries/ansible/aws/efs_without_tags/test/positive_expected_result.json index 8594bf83818..2a86fc6b0bf 100644 --- a/assets/queries/ansible/aws/efs_without_tags/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/efs_without_tags/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "EFS Without Tags", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.efs", + "resourceName": "EFS provisioning without tags", + "searchKey": "name={{EFS provisioning without tags}}.{{community.aws.efs}}", + "searchValue": "", + "expectedValue": "name={{EFS provisioning without tags}}.{{community.aws.efs}}.tags should be set", + "actualValue": "name={{EFS provisioning without tags}}.{{community.aws.efs}}.tags is not defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/ansible/aws/elasticache_using_default_port/test/positive_expected_result.json b/assets/queries/ansible/aws/elasticache_using_default_port/test/positive_expected_result.json index a729b0e9d1c..39d71d464ea 100644 --- a/assets/queries/ansible/aws/elasticache_using_default_port/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elasticache_using_default_port/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 9, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "community.aws.elasticache", + "resourceName": "Basic example", + "searchKey": "name={{Basic example}}.{{community.aws.elasticache}}.cache_port", + "searchValue": "", + "expectedValue": "'cache_port' should not be set to 11211", + "actualValue": "'cache_port' is set to 11211", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 9, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "community.aws.elasticache", + "resourceName": "Basic example2", + "searchKey": "name={{Basic example2}}.{{community.aws.elasticache}}.cache_port", + "searchValue": "", + "expectedValue": "'cache_port' should not be set to 6379", + "actualValue": "'cache_port' is set to 6379", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/elasticache_without_vpc/test/positive_expected_result.json b/assets/queries/ansible/aws/elasticache_without_vpc/test/positive_expected_result.json index 6367ea5e9ee..64c6c980a65 100644 --- a/assets/queries/ansible/aws/elasticache_without_vpc/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elasticache_without_vpc/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "ElastiCache Without VPC", - "severity": "LOW", - "line": 2, - "fileName": "positive.yaml" - } + { + "queryName": "ElastiCache Without VPC", + "severity": "LOW", + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.elasticache", + "resourceName": "Basic example", + "searchKey": "name={{Basic example}}.{{community.aws.elasticache}}", + "searchValue": "", + "expectedValue": "'cache_subnet_group' should be defined and not null", + "actualValue": "'cache_subnet_group' is undefined or null", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json index db63e1ea6e3..f60d7659881 100644 --- a/assets/queries/ansible/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "community.aws.opensearch", + "resourceName": "Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters", + "searchKey": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https", + "searchValue": "", + "expectedValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https should be set to 'true'", + "actualValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "community.aws.opensearch", + "resourceName": "Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters", + "searchKey": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options", + "searchValue": "", + "expectedValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https should be defined and set to 'true'", + "actualValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https is not set", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 2, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "community.aws.opensearch", + "resourceName": "Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters", + "searchKey": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}", + "searchValue": "", + "expectedValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https should be defined and set to 'true'", + "actualValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https is not set", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/elb_using_insecure_protocols/test/positive_expected_result.json b/assets/queries/ansible/aws/elb_using_insecure_protocols/test/positive_expected_result.json index 0c3e3ad87ae..d6b7b4374e9 100644 --- a/assets/queries/ansible/aws/elb_using_insecure_protocols/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elb_using_insecure_protocols/test/positive_expected_result.json @@ -2,31 +2,79 @@ { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "elb1", + "searchKey": "name={{elb1}}.{{community.aws.elb_application_lb}}", + "searchValue": "", + "expectedValue": "community.aws.elb_application_lb.listeners should be defined", + "actualValue": "%!&(string=community.aws.elb_application_lb)s.listeners is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 21 + "line": 21, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "elb2", + "searchKey": "name={{elb2}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy should be defined", + "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 40 + "line": 40, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "elb3", + "searchKey": "name={{elb3}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy is a secure protocol", + "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is an insecure protocol", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 52 + "line": 52, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_network_lb", + "resourceName": "elb4", + "searchKey": "name={{elb4}}.{{community.aws.elb_network_lb}}", + "searchValue": "", + "expectedValue": "community.aws.elb_network_lb.listeners should be defined", + "actualValue": "%!&(string=community.aws.elb_network_lb)s.listeners is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 70 + "line": 70, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_network_lb", + "resourceName": "elb5", + "searchKey": "name={{elb5}}.{{community.aws.elb_network_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_network_lb.listeners.SslPolicy should be defined", + "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 89 + "line": 89, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_network_lb", + "resourceName": "elb6", + "searchKey": "name={{elb6}}.{{community.aws.elb_network_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_network_lb.listeners.SslPolicy is a secure protocol", + "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is an insecure protocol", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/elb_using_weak_ciphers/test/positive_expected_result.json b/assets/queries/ansible/aws/elb_using_weak_ciphers/test/positive_expected_result.json index deda62d1c26..12db88cd260 100644 --- a/assets/queries/ansible/aws/elb_using_weak_ciphers/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elb_using_weak_ciphers/test/positive_expected_result.json @@ -1,32 +1,80 @@ [ - { - "queryName": "ELB Using Weak Ciphers", - "severity": "HIGH", - "line": 3 - }, - { - "queryName": "ELB Using Weak Ciphers", - "severity": "HIGH", - "line": 21 - }, - { - "queryName": "ELB Using Weak Ciphers", - "severity": "HIGH", - "line": 40 - }, - { - "queryName": "ELB Using Weak Ciphers", - "severity": "HIGH", - "line": 52 - }, - { - "queryName": "ELB Using Weak Ciphers", - "severity": "HIGH", - "line": 70 - }, - { - "queryName": "ELB Using Weak Ciphers", - "severity": "HIGH", - "line": 89 - } + { + "queryName": "ELB Using Weak Ciphers", + "severity": "HIGH", + "line": 3, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "elb1", + "searchKey": "name={{elb1}}.{{community.aws.elb_application_lb}}", + "searchValue": "", + "expectedValue": "community.aws.elb_application_lb.listeners should be defined", + "actualValue": "%!&(string=community.aws.elb_application_lb)s.listeners is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "ELB Using Weak Ciphers", + "severity": "HIGH", + "line": 21, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "elb2", + "searchKey": "name={{elb2}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy should be defined", + "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "ELB Using Weak Ciphers", + "severity": "HIGH", + "line": 40, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "elb3", + "searchKey": "name={{elb3}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy should not be a weak cipher", + "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is a weak cipher", + "issueType": "IncorrectValue" + }, + { + "queryName": "ELB Using Weak Ciphers", + "severity": "HIGH", + "line": 52, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_network_lb", + "resourceName": "elb4", + "searchKey": "name={{elb4}}.{{community.aws.elb_network_lb}}", + "searchValue": "", + "expectedValue": "community.aws.elb_network_lb.listeners should be defined", + "actualValue": "%!&(string=community.aws.elb_network_lb)s.listeners is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "ELB Using Weak Ciphers", + "severity": "HIGH", + "line": 70, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_network_lb", + "resourceName": "elb5", + "searchKey": "name={{elb5}}.{{community.aws.elb_network_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_network_lb.listeners.SslPolicy should be defined", + "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "ELB Using Weak Ciphers", + "severity": "HIGH", + "line": 89, + "filename": "positive.yaml", + "resourceType": "community.aws.elb_network_lb", + "resourceName": "elb6", + "searchKey": "name={{elb6}}.{{community.aws.elb_network_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_network_lb.listeners.SslPolicy should not be a weak cipher", + "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is a weak cipher", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/aws/hardcoded_aws_access_key/test/positive_expected_result.json b/assets/queries/ansible/aws/hardcoded_aws_access_key/test/positive_expected_result.json index af7fa0f090a..db36ec3f3ca 100644 --- a/assets/queries/ansible/aws/hardcoded_aws_access_key/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/hardcoded_aws_access_key/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Hardcoded AWS Access Key", "severity": "HIGH", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with a cpu_options", + "searchKey": "name={{start an instance with a cpu_options}}.{{community.aws.ec2_instance}}.user_data", + "searchValue": "", + "expectedValue": "'ec2_instance.user_data' shouldn't contain access key", + "actualValue": "'ec2_instance.user_data' contains access key", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json b/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json index e0069607293..c133805645e 100644 --- a/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "community.aws.lambda", + "resourceName": "looped creation", + "searchKey": "name={{looped creation}}.{{community.aws.lambda}}.aws_access_key", + "searchValue": "", + "expectedValue": "lambda.aws_access_key should not be in plaintext", + "actualValue": "lambda.aws_access_key is in plaintext", + "issueType": "IncorrectValue" }, { "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", - "line": 32 + "line": 32, + "filename": "positive.yaml", + "resourceType": "community.aws.lambda", + "resourceName": "remove tags", + "searchKey": "name={{remove tags}}.{{community.aws.lambda}}.aws_access_key", + "searchValue": "", + "expectedValue": "lambda.aws_access_key should not be in plaintext", + "actualValue": "lambda.aws_access_key is in plaintext", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json b/assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json index 094f0bad534..8f3300805ed 100644 --- a/assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json @@ -2,36 +2,92 @@ { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 9 + "line": 9, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group1", + "searchKey": "name={{example ec2 group1}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", + "actualValue": "ec2_group.rules[0] opens the http port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 23 + "line": 23, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group2", + "searchKey": "name={{example ec2 group2}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", + "actualValue": "ec2_group.rules[0] opens the http port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 36 + "line": 36, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group3", + "searchKey": "name={{example ec2 group3}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", + "actualValue": "ec2_group.rules[0] opens the http port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 49 + "line": 49, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group4", + "searchKey": "name={{example ec2 group4}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", + "actualValue": "ec2_group.rules[0] opens the http port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 64 + "line": 64, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group5", + "searchKey": "name={{example ec2 group5}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", + "actualValue": "ec2_group.rules[0] opens the http port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 79 + "line": 79, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group6", + "searchKey": "name={{example ec2 group6}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", + "actualValue": "ec2_group.rules[0] opens the http port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 93 + "line": 93, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group7", + "searchKey": "name={{example ec2 group7}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", + "actualValue": "ec2_group.rules[0] opens the http port (80)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/iam_access_key_is_exposed/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_access_key_is_exposed/test/positive_expected_result.json index 0935349027b..406158bf675 100644 --- a/assets/queries/ansible/aws/iam_access_key_is_exposed/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_access_key_is_exposed/test/positive_expected_result.json @@ -1,17 +1,41 @@ [ - { - "queryName": "IAM Access Key Is Exposed", - "severity": "MEDIUM", - "line": 7 - }, - { - "queryName": "IAM Access Key Is Exposed", - "severity": "MEDIUM", - "line": 26 - }, - { - "queryName": "IAM Access Key Is Exposed", - "severity": "MEDIUM", - "line": 36 - } + { + "queryName": "IAM Access Key Is Exposed", + "severity": "MEDIUM", + "line": 7, + "filename": "positive.yaml", + "resourceType": "community.aws.iam", + "resourceName": "Create two new IAM users with API keys", + "searchKey": "name={{Create two new IAM users with API keys}}.{{community.aws.iam}}.access_key_state", + "searchValue": "", + "expectedValue": "iam.name should be 'root' for an active access key", + "actualValue": "iam.name is '{{ item }}' for an active access key", + "issueType": "IncorrectValue" + }, + { + "queryName": "IAM Access Key Is Exposed", + "severity": "MEDIUM", + "line": 26, + "filename": "positive.yaml", + "resourceType": "community.aws.iam", + "resourceName": "Create Two Groups, Mario and Luigi", + "searchKey": "name={{Create Two Groups, Mario and Luigi}}.{{community.aws.iam}}.access_key_state", + "searchValue": "", + "expectedValue": "iam.name should be 'root' for an active access key", + "actualValue": "iam.name is '{{ item }}' for an active access key", + "issueType": "IncorrectValue" + }, + { + "queryName": "IAM Access Key Is Exposed", + "severity": "MEDIUM", + "line": 36, + "filename": "positive.yaml", + "resourceType": "community.aws.iam", + "resourceName": "Update user", + "searchKey": "name={{Update user}}.{{community.aws.iam}}.access_key_state", + "searchValue": "", + "expectedValue": "iam.name should be 'root' for an active access key", + "actualValue": "iam.name is 'jdavila' for an active access key", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/positive_expected_result.json index 3e10b8cd6a2..be94174c32d 100644 --- a/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", - "line": 9 + "line": 9, + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.enable_iam_database_authentication", + "searchValue": "", + "expectedValue": "rds_instance.enable_iam_database_authentication should be enabled", + "actualValue": "rds_instance.enable_iam_database_authentication is disabled", + "issueType": "IncorrectValue" }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", - "line": 22 + "line": 22, + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "Create a DB instance using the default AWS KMS encryption key", + "searchKey": "name={{Create a DB instance using the default AWS KMS encryption key}}.{{community.aws.rds_instance}}.enable_iam_database_authentication", + "searchValue": "", + "expectedValue": "rds_instance.enable_iam_database_authentication should be enabled", + "actualValue": "rds_instance.enable_iam_database_authentication is disabled", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/iam_group_without_users/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_group_without_users/test/positive_expected_result.json index 476d69ce3c0..da86482bafd 100644 --- a/assets/queries/ansible/aws/iam_group_without_users/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_group_without_users/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "IAM Group Without Users", "severity": "MEDIUM", "line": 2, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "iam_group", + "resourceName": "Group1", + "searchKey": "name={{Group1}}.{{iam_group}}", + "searchValue": "", + "expectedValue": "iam_group.users should be defined and not null", + "actualValue": "iam_group.users is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "IAM Group Without Users", "severity": "MEDIUM", "line": 2, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "iam_group", + "resourceName": "Group2", + "searchKey": "name={{Group2}}.{{iam_group}}", + "searchValue": "", + "expectedValue": "iam_group.users should be defined and not null", + "actualValue": "iam_group.users is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/iam_password_without_minimum_length/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_password_without_minimum_length/test/positive_expected_result.json index 11e6af830a7..1ca73ac508b 100644 --- a/assets/queries/ansible/aws/iam_password_without_minimum_length/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_password_without_minimum_length/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Password policy for AWS account", + "searchKey": "name={{Password policy for AWS account}}.{{community.aws.iam_password_policy}}", + "searchValue": "", + "expectedValue": "iam_password_policy.min_pw_length/minimum_password_length should be set and no less than 8", + "actualValue": "iam_password_policy.min_pw_length/minimum_password_length is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", - "line": 16 + "line": 16, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "aws_iam_account_password_policy", + "searchKey": "name={{aws_iam_account_password_policy}}.{{community.aws.iam_password_policy}}.{{min_pw_length}}", + "searchValue": "", + "expectedValue": "iam_password_policy.min_pw_length should be set and no less than 8", + "actualValue": "iam_password_policy.min_pw_length is less than 8", + "issueType": "IncorrectValue" }, { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", - "line": 27 + "line": 27, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "aws_iam_account_password_policy_2", + "searchKey": "name={{aws_iam_account_password_policy_2}}.{{community.aws.iam_password_policy}}.{{min_pw_length}}", + "searchValue": "", + "expectedValue": "iam_password_policy.minimum_password_length should be set and no less than 8", + "actualValue": "iam_password_policy.minimum_password_length is less than 8", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/iam_policies_attached_to_user/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_policies_attached_to_user/test/positive_expected_result.json index 3eb0b178029..6609f4daa4a 100644 --- a/assets/queries/ansible/aws/iam_policies_attached_to_user/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_policies_attached_to_user/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "IAM Policies Attached To User", - "severity": "MEDIUM", - "line": 3 - } + { + "queryName": "IAM Policies Attached To User", + "severity": "MEDIUM", + "line": 3, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_policy", + "resourceName": "Assign a policy called Admin to user", + "searchKey": "name={{Assign a policy called Admin to user}}.{{community.aws.iam_policy}}.iam_type", + "searchValue": "", + "expectedValue": "iam_policy.iam_type should be configured with group or role", + "actualValue": "iam_policy.iam_type is configured with user", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json index c8eb04cd6f1..7cfc051bef6 100644 --- a/assets/queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 4, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.iam_managed_policy", + "resourceName": "Create IAM Managed Policy", + "searchKey": "name={{Create IAM Managed Policy}}.{{community.aws.iam_managed_policy}}.policy", + "searchValue": "", + "expectedValue": "iam_managed_policy.policy.Statement.Action should not contain '*'", + "actualValue": "iam_managed_policy.policy.Statement.Action contains '*'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json index 4caf867fb9d..f8128d20be1 100644 --- a/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "IAM Policy Grants 'AssumeRole' Permission Across All Services", "severity": "MEDIUM", "line": 4, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.iam_managed_policy", + "resourceName": "Create IAM Managed Policy", + "searchKey": "name={{Create IAM Managed Policy}}.{{community.aws.iam_managed_policy}}.policy", + "searchValue": "", + "expectedValue": "iam_managed_policy.policy.Statement.Principal.AWS should not contain '*'", + "actualValue": "iam_managed_policy.policy.Statement.Principal.AWS contains '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json index 6b957568732..977cdd011d4 100644 --- a/assets/queries/ansible/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", "line": 4, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.iam_managed_policy", + "resourceName": "Create IAM Managed Policy", + "searchKey": "name={{Create IAM Managed Policy}}.{{community.aws.iam_managed_policy}}.policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Resource' and 'policy.Statement.Action' should no be equal to '*'", + "actualValue": "'policy.Statement.Resource' and 'policy.Statement.Action' are equal to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json index 770a1a9129e..2d327157c98 100644 --- a/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "IAM Role Allows All Principals To Assume", "severity": "MEDIUM", "line": 4, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.iam_managed_policy", + "resourceName": "Create IAM Managed Policy", + "searchKey": "name={{Create IAM Managed Policy}}.{{community.aws.iam_managed_policy}}.policy", + "searchValue": "", + "expectedValue": "iam_managed_policy.policy.Statement.Principal.AWS should not contain ':root", + "actualValue": "iam_managed_policy.policy.Statement.Principal.AWS contains ':root'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Role Allows All Principals To Assume", "severity": "MEDIUM", "line": 17, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.iam_managed_policy", + "resourceName": "Create2 IAM Managed Policy", + "searchKey": "name={{Create2 IAM Managed Policy}}.{{community.aws.iam_managed_policy}}.policy", + "searchValue": "", + "expectedValue": "iam_managed_policy.policy.Statement.Principal.AWS should not contain ':root", + "actualValue": "iam_managed_policy.policy.Statement.Principal.AWS contains ':root'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json b/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json index f43bdfb60d9..c0500ed6945 100644 --- a/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json @@ -1,122 +1,262 @@ [ - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive1.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 20, - "fileName": "positive1.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 32, - "fileName": "positive1.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 42, - "fileName": "positive1.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 2, - "fileName": "positive2.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 20, - "fileName": "positive2.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 29, - "fileName": "positive2.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 11, - "fileName": "positive3.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 23, - "fileName": "positive3.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 35, - "fileName": "positive3.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 47, - "fileName": "positive3.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 9, - "fileName": "positive4.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 20, - "fileName": "positive4.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 31, - "fileName": "positive4.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 42, - "fileName": "positive4.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 9, - "fileName": "positive5.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 20, - "fileName": "positive5.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 31, - "fileName": "positive5.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 42, - "fileName": "positive5.yaml" - } + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "filename": "positive1.yaml", + "resourceType": "amazon.aws.ec2_instance", + "resourceName": "start an instance with metadata options", + "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 20, + "filename": "positive1.yaml", + "resourceType": "community.aws.autoscaling_launch_config", + "resourceName": "create launch configuration with metadata options", + "searchKey": "name={{create launch configuration with metadata options}}.{{community.aws.autoscaling_launch_config}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 32, + "filename": "positive1.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with legacy naming and metadata options", + "searchKey": "name={{start an instance with legacy naming and metadata options}}.{{community.aws.ec2_instance}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 42, + "filename": "positive1.yaml", + "resourceType": "community.aws.ec2_lc", + "resourceName": "create launch configuration with legacy naming and metadata options", + "searchKey": "name={{create launch configuration with legacy naming and metadata options}}.{{community.aws.ec2_lc}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'community.aws.ec2_lc.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 2, + "filename": "positive2.yaml", + "resourceType": "amazon.aws.ec2_instance", + "resourceName": "start an instance", + "searchKey": "name={{start an instance}}.{{amazon.aws.ec2_instance}}", + "searchValue": "", + "expectedValue": "'amazon.aws.ec2_instance.metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'amazon.aws.ec2_instance.metadata_options' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "community.aws.autoscaling_launch_config", + "resourceName": "create launch configuration", + "searchKey": "name={{create launch configuration}}.{{community.aws.autoscaling_launch_config}}", + "searchValue": "", + "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'community.aws.autoscaling_launch_config.metadata_options' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 20, + "filename": "positive2.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with legacy naming", + "searchKey": "name={{start an instance with legacy naming}}.{{community.aws.ec2_instance}}", + "searchValue": "", + "expectedValue": "'community.aws.ec2_instance.metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'community.aws.ec2_instance.metadata_options' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 29, + "filename": "positive2.yaml", + "resourceType": "community.aws.ec2_lc", + "resourceName": "create launch configuration with legacy naming", + "searchKey": "name={{create launch configuration with legacy naming}}.{{community.aws.ec2_lc}}", + "searchValue": "", + "expectedValue": "'community.aws.ec2_lc.metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'community.aws.ec2_lc.metadata_options' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 11, + "filename": "positive3.yaml", + "resourceType": "amazon.aws.ec2_instance", + "resourceName": "start an instance with metadata options", + "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 23, + "filename": "positive3.yaml", + "resourceType": "community.aws.autoscaling_launch_config", + "resourceName": "create launch configuration with metadata options", + "searchKey": "name={{create launch configuration with metadata options}}.{{community.aws.autoscaling_launch_config}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 35, + "filename": "positive3.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with legacy naming and metadata options", + "searchKey": "name={{start an instance with legacy naming and metadata options}}.{{community.aws.ec2_instance}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 47, + "filename": "positive3.yaml", + "resourceType": "community.aws.ec2_lc", + "resourceName": "create launch configuration with legacy naming and metadata options", + "searchKey": "name={{create launch configuration with legacy naming and metadata options}}.{{community.aws.ec2_lc}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'community.aws.ec2_lc.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 9, + "filename": "positive4.yaml", + "resourceType": "amazon.aws.ec2_instance", + "resourceName": "start an instance with metadata options", + "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options", + "searchValue": "", + "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 20, + "filename": "positive4.yaml", + "resourceType": "community.aws.autoscaling_launch_config", + "resourceName": "create launch configuration with metadata options", + "searchKey": "name={{create launch configuration with metadata options}}.{{community.aws.autoscaling_launch_config}}.metadata_options", + "searchValue": "", + "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 31, + "filename": "positive4.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with legacy naming and metadata options", + "searchKey": "name={{start an instance with legacy naming and metadata options}}.{{community.aws.ec2_instance}}.metadata_options", + "searchValue": "", + "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 42, + "filename": "positive4.yaml", + "resourceType": "community.aws.ec2_lc", + "resourceName": "create launch configuration with legacy naming and metadata options", + "searchKey": "name={{create launch configuration with legacy naming and metadata options}}.{{community.aws.ec2_lc}}.metadata_options", + "searchValue": "", + "expectedValue": "'community.aws.ec2_lc.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 9, + "filename": "positive5.yaml", + "resourceType": "amazon.aws.ec2_instance", + "resourceName": "start an instance with metadata options", + "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options", + "searchValue": "", + "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 20, + "filename": "positive5.yaml", + "resourceType": "community.aws.autoscaling_launch_config", + "resourceName": "create launch configuration with metadata options", + "searchKey": "name={{create launch configuration with metadata options}}.{{community.aws.autoscaling_launch_config}}.metadata_options", + "searchValue": "", + "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 31, + "filename": "positive5.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with legacy naming and metadata options", + "searchKey": "name={{start an instance with legacy naming and metadata options}}.{{community.aws.ec2_instance}}.metadata_options", + "searchValue": "", + "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 42, + "filename": "positive5.yaml", + "resourceType": "community.aws.ec2_lc", + "resourceName": "create launch configuration with legacy naming and metadata options", + "searchKey": "name={{create launch configuration with legacy naming and metadata options}}.{{community.aws.ec2_lc}}.metadata_options", + "searchValue": "", + "expectedValue": "'community.aws.ec2_lc.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/ansible/aws/instance_with_no_vpc/test/positive_expected_result.json b/assets/queries/ansible/aws/instance_with_no_vpc/test/positive_expected_result.json index fa4b4be12f2..242ce78fb74 100644 --- a/assets/queries/ansible/aws/instance_with_no_vpc/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/instance_with_no_vpc/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Instance With No VPC", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "Start an instance and have it begin a Tower callback on boot", + "searchKey": "name={{Start an instance and have it begin a Tower callback on boot}}.{{community.aws.ec2_instance}}", + "searchValue": "", + "expectedValue": "community.aws.ec2_instance.vpc_subnet_id should be set", + "actualValue": "community.aws.ec2_instance.vpc_subnet_id is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Instance With No VPC", "severity": "LOW", - "line": 18 + "line": 18, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "Start an instance and have it begin a Tower callback on boot v2", + "searchKey": "name={{Start an instance and have it begin a Tower callback on boot v2}}.{{amazon.aws.ec2}}", + "searchValue": "", + "expectedValue": "amazon.aws.ec2.vpc_subnet_id should be set", + "actualValue": "amazon.aws.ec2.vpc_subnet_id is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json index 579cb51f9e7..7abc38c4f7b 100644 --- a/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.kinesis_stream", + "resourceName": "Encrypt Kinesis Stream test-stream.", + "searchKey": "name={{Encrypt Kinesis Stream test-stream.}}.{{community.aws.kinesis_stream}}", + "searchValue": "", + "expectedValue": "kinesis_stream.encryption_state should be set", + "actualValue": "kinesis_stream.encryption_state is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 16 + "line": 16, + "filename": "positive.yaml", + "resourceType": "community.aws.kinesis_stream", + "resourceName": "Encrypt Kinesis Stream test-stream. v2", + "searchKey": "name={{Encrypt Kinesis Stream test-stream. v2}}.{{community.aws.kinesis_stream}}.encryption_state", + "searchValue": "", + "expectedValue": "kinesis_stream.encryption_state should be set to enabled", + "actualValue": "kinesis_stream.encryption_state is not set to enabled", + "issueType": "IncorrectValue" }, { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 23 + "line": 23, + "filename": "positive.yaml", + "resourceType": "community.aws.kinesis_stream", + "resourceName": "Encrypt Kinesis Stream test-stream. v3", + "searchKey": "name={{Encrypt Kinesis Stream test-stream. v3}}.{{community.aws.kinesis_stream}}", + "searchValue": "", + "expectedValue": "kinesis_stream.encryption_type should be set", + "actualValue": "kinesis_stream.encryption_type is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 38 + "line": 38, + "filename": "positive.yaml", + "resourceType": "community.aws.kinesis_stream", + "resourceName": "Encrypt Kinesis Stream test-stream. v4", + "searchKey": "name={{Encrypt Kinesis Stream test-stream. v4}}.{{community.aws.kinesis_stream}}.encryption_type", + "searchValue": "", + "expectedValue": "kinesis_stream.encryption_type should be set and not NONE", + "actualValue": "kinesis_stream.encryption_type is set but NONE", + "issueType": "IncorrectValue" }, { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 44 + "line": 44, + "filename": "positive.yaml", + "resourceType": "community.aws.kinesis_stream", + "resourceName": "Encrypt Kinesis Stream test-stream. v5", + "searchKey": "name={{Encrypt Kinesis Stream test-stream. v5}}.{{community.aws.kinesis_stream}}", + "searchValue": "", + "expectedValue": "kinesis_stream.key_id should be set", + "actualValue": "kinesis_stream.key_id is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/ansible/aws/kms_key_with_full_permissions/test/positive_expected_result.json b/assets/queries/ansible/aws/kms_key_with_full_permissions/test/positive_expected_result.json index bfae2532cb7..f6c6b07a74b 100644 --- a/assets/queries/ansible/aws/kms_key_with_full_permissions/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/kms_key_with_full_permissions/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", "line": 5, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.aws_kms", + "resourceName": "Update IAM policy on an existing KMS key", + "searchKey": "name={{Update IAM policy on an existing KMS key}}.{{community.aws.aws_kms}}.policy", + "searchValue": "", + "expectedValue": "aws_kms.policy should not have wildcard in 'Action' and 'Principal'", + "actualValue": "aws_kms.policy has wildcard in 'Action' or 'Principal'", + "issueType": "IncorrectValue" }, { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", "line": 3, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "community.aws.aws_kms", + "resourceName": "Update IAM policy on an existing KMS key2", + "searchKey": "name={{Update IAM policy on an existing KMS key2}}.{{community.aws.aws_kms}}", + "searchValue": "", + "expectedValue": "'policy' should be undefined or null", + "actualValue": "'policy' is defined and not null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/ansible/aws/lambda_function_without_tags/test/positive_expected_result.json b/assets/queries/ansible/aws/lambda_function_without_tags/test/positive_expected_result.json index 39bea3ef11d..84e1797425c 100644 --- a/assets/queries/ansible/aws/lambda_function_without_tags/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/lambda_function_without_tags/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Lambda Function Without Tags", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.lambda", + "resourceName": "add tags", + "searchKey": "name={{add tags}}.{{community.aws.lambda}}", + "searchValue": "", + "expectedValue": "name={{add tags}}.{{community.aws.lambda}}.tags should be defined", + "actualValue": "name={{add tags}}.{{community.aws.lambda}}.tags is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json index 1b3f379b1a1..e683756a1b2 100644 --- a/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Lambda Functions Without X-Ray Tracing", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.lambda", + "resourceName": "looped creation", + "searchKey": "name={{looped creation}}.{{community.aws.lambda}}", + "searchValue": "", + "expectedValue": "lambda.tracing_mode should be set", + "actualValue": "lambda.tracing_mode is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Lambda Functions Without X-Ray Tracing", "severity": "LOW", - "line": 37 + "line": 37, + "filename": "positive.yaml", + "resourceType": "community.aws.lambda", + "resourceName": "looped creation V2", + "searchKey": "name={{looped creation V2}}.{{community.aws.lambda}}.tracing_mode", + "searchValue": "", + "expectedValue": "lambda.tracing_mode should be set to 'Active'", + "actualValue": "lambda.tracing_mode is not set to 'Active'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/lambda_permission_misconfigured/test/positive_expected_result.json b/assets/queries/ansible/aws/lambda_permission_misconfigured/test/positive_expected_result.json index ac77dd2ec5c..4f60de6ba31 100644 --- a/assets/queries/ansible/aws/lambda_permission_misconfigured/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/lambda_permission_misconfigured/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Lambda Permission Misconfigured", "severity": "LOW", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "community.aws.lambda_policy", + "resourceName": "Lambda S3 notification positive", + "searchKey": "name={{Lambda S3 notification positive}}.{{community.aws.lambda_policy}}.action", + "searchValue": "", + "expectedValue": "name={{Lambda S3 notification positive}}.{{community.aws.lambda_policy}}.action should be 'lambda:InvokeFunction'", + "actualValue": "name={{Lambda S3 notification positive}}.{{community.aws.lambda_policy}}.action is lambda:CreateFunction", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json b/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json index 5e494d7d90e..1ca9aacfcac 100644 --- a/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ { - "line": 8, "queryName": "Lambda Permission Principal Is Wildcard", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 8, + "filename": "positive.yaml", + "resourceType": "community.aws.lambda_policy", + "resourceName": "Lambda S3 event notification", + "searchKey": "name={{Lambda S3 event notification}}.{{community.aws.lambda_policy}}.principal", + "searchValue": "", + "expectedValue": "name={{Lambda S3 event notification}}.{{community.aws.lambda_policy}}.principal shouldn't contain a wildcard", + "actualValue": "name={{Lambda S3 event notification}}.{{community.aws.lambda_policy}}.principal contains a wildcard", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/test/positive_expected_result.json index 5793a13e191..d8f75f37cd2 100644 --- a/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Launch Configuration Is Not Encrypted", "severity": "HIGH", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "community.aws.ec2_lc", + "resourceName": "note that encrypted volumes are only supported in >= Ansible 2.4", + "searchKey": "name={{note that encrypted volumes are only supported in >= Ansible 2.4}}.{{community.aws.ec2_lc}}.volumes", + "searchValue": "", + "expectedValue": "ec2_lc.volumes[0].encrypted should be set to true or yes", + "actualValue": "ec2_lc.volumes[0].encrypted is not set to true or yes", + "issueType": "IncorrectValue" }, { "queryName": "Launch Configuration Is Not Encrypted", "severity": "HIGH", - "line": 22 + "line": 22, + "filename": "positive.yaml", + "resourceType": "ec2_lc", + "resourceName": "note that encrypted volumes are only supported in >= Ansible 2.4 v2", + "searchKey": "name={{note that encrypted volumes are only supported in >= Ansible 2.4 v2}}.{{ec2_lc}}.volumes", + "searchValue": "", + "expectedValue": "ec2_lc.volumes[0].encrypted should be set", + "actualValue": "ec2_lc.volumes[0].encrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Launch Configuration Is Not Encrypted", "severity": "HIGH", - "line": 29 + "line": 29, + "filename": "positive.yaml", + "resourceType": "ec2_lc", + "resourceName": "note that encrypted volumes are only supported in >= Ansible 2.4 v3", + "searchKey": "name={{note that encrypted volumes are only supported in >= Ansible 2.4 v3}}.{{ec2_lc}}", + "searchValue": "", + "expectedValue": "ec2_lc.volumes should be set", + "actualValue": "ec2_lc.volumes is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/ansible/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json b/assets/queries/ansible/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json index 16b5f7cbeab..48e1a2a3425 100644 --- a/assets/queries/ansible/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Misconfigured Password Policy Expiration", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Missing Password policy for AWS account", + "searchKey": "name={{Missing Password policy for AWS account}}.{{community.aws.iam_password_policy}}", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'pw_max_age/password_max_age' lower than 90", + "actualValue": "iam_password_policy has the property 'pw_max_age/password_max_age' unassigned or greater than 90", + "issueType": "MissingAttribute" }, { "queryName": "Misconfigured Password Policy Expiration", "severity": "LOW", - "line": 21 + "line": 21, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Extreme Password policy for AWS account", + "searchKey": "name={{Extreme Password policy for AWS account}}.{{community.aws.iam_password_policy}}.pw_max_age", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'pw_max_age/password_max_age' lower than 90", + "actualValue": "iam_password_policy has the property 'pw_max_age/password_max_age' unassigned or greater than 90", + "issueType": "IncorrectValue" }, { "queryName": "Misconfigured Password Policy Expiration", "severity": "LOW", - "line": 33 + "line": 33, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Alias extreme Password policy for AWS account", + "searchKey": "name={{Alias extreme Password policy for AWS account}}.{{community.aws.iam_password_policy}}.password_max_age", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'pw_max_age/password_max_age' lower than 90", + "actualValue": "iam_password_policy has the property 'pw_max_age/password_max_age' unassigned or greater than 90", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/no_stack_policy/test/positive_expected_result.json b/assets/queries/ansible/aws/no_stack_policy/test/positive_expected_result.json index 9efdc650bfc..12b2b0771f5 100644 --- a/assets/queries/ansible/aws/no_stack_policy/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/no_stack_policy/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "No Stack Policy", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "amazon.aws.cloudformation", + "resourceName": "create a stack, pass in the template via an URL", + "searchKey": "name={{create a stack, pass in the template via an URL}}.{{amazon.aws.cloudformation}}", + "searchValue": "", + "expectedValue": "cloudformation.stack_policy should be set", + "actualValue": "cloudformation.stack_policy is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/ansible/aws/password_without_reuse_prevention/test/positive_expected_result.json b/assets/queries/ansible/aws/password_without_reuse_prevention/test/positive_expected_result.json index 1dacba2e48f..567159b1ed0 100644 --- a/assets/queries/ansible/aws/password_without_reuse_prevention/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/password_without_reuse_prevention/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Password Without Reuse Prevention", "severity": "LOW", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Password policy for AWS account", + "searchKey": "name={{Password policy for AWS account}}.{{community.aws.iam_password_policy}}", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'password_reuse_prevent' greater than 0", + "actualValue": "iam_password_policy has the property 'password_reuse_prevent' unassigned or assigned to 0", + "issueType": "MissingAttribute" }, { "queryName": "Password Without Reuse Prevention", "severity": "LOW", - "line": 23 + "line": 23, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Password policy for AWS account2", + "searchKey": "name={{Password policy for AWS account2}}.{{community.aws.iam_password_policy}}.password_reuse_prevent", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'password_reuse_prevent' greater than 0", + "actualValue": "iam_password_policy has the property 'password_reuse_prevent' unassigned or assigned to 0", + "issueType": "IncorrectValue" }, { "queryName": "Password Without Reuse Prevention", "severity": "LOW", - "line": 26 + "line": 26, + "filename": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Password policy for AWS account3", + "searchKey": "name={{Password policy for AWS account3}}.{{community.aws.iam_password_policy}}", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'password_reuse_prevent' greater than 0", + "actualValue": "iam_password_policy has the property 'password_reuse_prevent' unassigned or assigned to 0", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/public_lambda_via_api_gateway/test/positive_expected_result.json b/assets/queries/ansible/aws/public_lambda_via_api_gateway/test/positive_expected_result.json index db5c9004dc2..a5c8e0c2d69 100644 --- a/assets/queries/ansible/aws/public_lambda_via_api_gateway/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/public_lambda_via_api_gateway/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "Public Lambda via API Gateway", - "severity": "MEDIUM", - "line": 9 - } + { + "queryName": "Public Lambda via API Gateway", + "severity": "MEDIUM", + "line": 9, + "filename": "positive.yaml", + "resourceType": "lambda_policy", + "resourceName": "Lambda S3 event notification", + "searchKey": "name={{Lambda S3 event notification}}.{{lambda_policy}}.source_arn", + "searchValue": "", + "expectedValue": "lambda_policy.source_arn should not equal to '/*/*'", + "actualValue": "lambda_policy.source_arn is equal to '/*/*'", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/aws/public_port_wide/test/positive_expected_result.json b/assets/queries/ansible/aws/public_port_wide/test/positive_expected_result.json index 697c1bac5ea..0816e230543 100644 --- a/assets/queries/ansible/aws/public_port_wide/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/public_port_wide/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ - { - "queryName": "Public Port Wide", - "severity": "HIGH", - "line": 8 - }, - { - "queryName": "Public Port Wide", - "severity": "HIGH", - "line": 12 - } + { + "queryName": "Public Port Wide", + "severity": "HIGH", + "line": 8, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't have public port wide", + "actualValue": "ec2_group.rules[0] has public port wide", + "issueType": "IncorrectValue" + }, + { + "queryName": "Public Port Wide", + "severity": "HIGH", + "line": 12, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[1] shouldn't have public port wide", + "actualValue": "ec2_group.rules[1] has public port wide", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/aws/rds_associated_with_public_subnet/test/positive_expected_result.json b/assets/queries/ansible/aws/rds_associated_with_public_subnet/test/positive_expected_result.json index 4d438cbfa35..af90b8c732f 100644 --- a/assets/queries/ansible/aws/rds_associated_with_public_subnet/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/rds_associated_with_public_subnet/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "RDS Associated with Public Subnet", "severity": "CRITICAL", "line": 9, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.db_subnet_group_name", + "searchValue": "", + "expectedValue": "RDS should not be running in a public subnet", + "actualValue": "RDS is running in a public subnet", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index 75c61207d63..57c65b4256c 100644 --- a/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "community - Create a DB instance using the default AWS KMS encryption key", + "searchKey": "name={{community - Create a DB instance using the default AWS KMS encryption key}}.{{community.aws.rds_instance}}.publicly_accessible", + "searchValue": "", + "expectedValue": "community.aws.rds_instance.publicly_accessible should be false", + "actualValue": "community.aws.rds_instance.publicly_accessible is true", + "issueType": "IncorrectValue" }, { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 22 + "line": 22, + "filename": "positive.yaml", + "resourceType": "community.aws.rds", + "resourceName": "community - Basic mysql provisioning example", + "searchKey": "name={{community - Basic mysql provisioning example}}.{{community.aws.rds}}.publicly_accessible", + "searchValue": "", + "expectedValue": "community.aws.rds.publicly_accessible should be false", + "actualValue": "community.aws.rds.publicly_accessible is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/rds_using_default_port/test/positive_expected_result.json b/assets/queries/ansible/aws/rds_using_default_port/test/positive_expected_result.json index 0282b397a25..11c751157e3 100644 --- a/assets/queries/ansible/aws/rds_using_default_port/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/rds_using_default_port/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.port", + "searchValue": "", + "expectedValue": "'port' should not be set to 3306", + "actualValue": "'port' is set to 3306", + "issueType": "IncorrectValue" }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group2", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group2}}.{{community.aws.rds_instance}}.port", + "searchValue": "", + "expectedValue": "'port' should not be set to 5432", + "actualValue": "'port' is set to 5432", + "issueType": "IncorrectValue" }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group2", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group2}}.{{community.aws.rds_instance}}.port", + "searchValue": "", + "expectedValue": "'port' should not be set to 1521", + "actualValue": "'port' is set to 1521", + "issueType": "IncorrectValue" }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group2", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group2}}.{{community.aws.rds_instance}}.port", + "searchValue": "", + "expectedValue": "'port' should not be set to 1433", + "actualValue": "'port' is set to 1433", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/rds_with_backup_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/rds_with_backup_disabled/test/positive_expected_result.json index 61f421b9d95..ec92dbad951 100644 --- a/assets/queries/ansible/aws/rds_with_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/rds_with_backup_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.backup_retention_period", + "searchValue": "", + "expectedValue": "rds_instance should have the property 'backup_retention_period' greater than 0", + "actualValue": "rds_instance has the property 'backup_retention_period' assigned to 0", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/redis_not_compliant/test/positive_expected_result.json b/assets/queries/ansible/aws/redis_not_compliant/test/positive_expected_result.json index b9ec5be90a3..5752a72488d 100644 --- a/assets/queries/ansible/aws/redis_not_compliant/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/redis_not_compliant/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Redis Not Compliant", "severity": "HIGH", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "community.aws.elasticache", + "resourceName": "Basic example", + "searchKey": "name={{Basic example}}.{{community.aws.elasticache}}.cache_engine_version", + "searchValue": "", + "expectedValue": "elasticache.cache_engine_version should be compliant with the AWS PCI DSS requirements", + "actualValue": "elasticache.cache_engine_version isn't compliant with the AWS PCI DSS requirements", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/redshift_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/redshift_not_encrypted/test/positive_expected_result.json index e51ed569eba..d09fb3ea107 100644 --- a/assets/queries/ansible/aws/redshift_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/redshift_not_encrypted/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Redshift Not Encrypted", "severity": "HIGH", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.redshift", + "resourceName": "Basic cluster provisioning example", + "searchKey": "name={{Basic cluster provisioning example}}.{{community.aws.redshift}}", + "searchValue": "", + "expectedValue": "redshift.encrypted should be set to true", + "actualValue": "redshift.encrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Not Encrypted", "severity": "HIGH", - "line": 19 + "line": 19, + "filename": "positive.yaml", + "resourceType": "community.aws.redshift", + "resourceName": "Basic cluster provisioning example2", + "searchKey": "name={{Basic cluster provisioning example2}}.{{community.aws.redshift}}.encrypted", + "searchValue": "", + "expectedValue": "redshift.encrypted should be set to true", + "actualValue": "redshift.encrypted is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Not Encrypted", "severity": "HIGH", - "line": 29 + "line": 29, + "filename": "positive.yaml", + "resourceType": "community.aws.redshift", + "resourceName": "Basic cluster provisioning example3", + "searchKey": "name={{Basic cluster provisioning example3}}.{{community.aws.redshift}}.encrypted", + "searchValue": "", + "expectedValue": "redshift.encrypted should be set to true", + "actualValue": "redshift.encrypted is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/redshift_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/redshift_publicly_accessible/test/positive_expected_result.json index 183c583e6ea..52cb2f2dffa 100644 --- a/assets/queries/ansible/aws/redshift_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/redshift_publicly_accessible/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 9 + "line": 9, + "filename": "positive.yaml", + "resourceType": "community.aws.redshift", + "resourceName": "Basic cluster provisioning example04", + "searchKey": "name={{Basic cluster provisioning example04}}.{{community.aws.redshift}}.publicly_accessible", + "searchValue": "", + "expectedValue": "redshift.publicly_accessible should be set to false", + "actualValue": "redshift.publicly_accessible is true", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 17 + "line": 17, + "filename": "positive.yaml", + "resourceType": "community.aws.redshift", + "resourceName": "Basic cluster provisioning example05", + "searchKey": "name={{Basic cluster provisioning example05}}.{{community.aws.redshift}}.publicly_accessible", + "searchValue": "", + "expectedValue": "redshift.publicly_accessible should be set to false", + "actualValue": "redshift.publicly_accessible is true", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 25 + "line": 25, + "filename": "positive.yaml", + "resourceType": "redshift", + "resourceName": "Basic cluster provisioning example06", + "searchKey": "name={{Basic cluster provisioning example06}}.{{redshift}}.publicly_accessible", + "searchValue": "", + "expectedValue": "redshift.publicly_accessible should be set to false", + "actualValue": "redshift.publicly_accessible is true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/redshift_using_default_port/test/positive_expected_result.json b/assets/queries/ansible/aws/redshift_using_default_port/test/positive_expected_result.json index 8241a36870f..ccc3b258c5d 100644 --- a/assets/queries/ansible/aws/redshift_using_default_port/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/redshift_using_default_port/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Redshift Using Default Port", "severity": "LOW", "line": 8, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.redshift", + "resourceName": "Redshift", + "searchKey": "name={{Redshift}}.{{community.aws.redshift}}.port", + "searchValue": "", + "expectedValue": "redshift.port should not be set to 5439", + "actualValue": "redshift.port is set to 5439", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json b/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json index 656120158f2..0f8d4b43182 100644 --- a/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json @@ -2,36 +2,92 @@ { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 9 + "line": 9, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group1", + "searchKey": "name={{example ec2 group1}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", + "actualValue": "ec2_group.rules opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 23 + "line": 23, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group2", + "searchKey": "name={{example ec2 group2}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", + "actualValue": "ec2_group.rules opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 36 + "line": 36, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group3", + "searchKey": "name={{example ec2 group3}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", + "actualValue": "ec2_group.rules opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 49 + "line": 49, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group4", + "searchKey": "name={{example ec2 group4}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", + "actualValue": "ec2_group.rules opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 64 + "line": 64, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group5", + "searchKey": "name={{example ec2 group5}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", + "actualValue": "ec2_group.rules opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 79 + "line": 79, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group6", + "searchKey": "name={{example ec2 group6}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", + "actualValue": "ec2_group.rules opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 93 + "line": 93, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group7", + "searchKey": "name={{example ec2 group7}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", + "actualValue": "ec2_group.rules opens the remote desktop port (3389)", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/root_account_has_active_access_keys/test/positive_expected_result.json b/assets/queries/ansible/aws/root_account_has_active_access_keys/test/positive_expected_result.json index 25b4a19110d..ddc810aa78f 100644 --- a/assets/queries/ansible/aws/root_account_has_active_access_keys/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/root_account_has_active_access_keys/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Root Account Has Active Access Keys", "severity": "HIGH", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "community.aws.iam", + "resourceName": "Create two new IAM users with API keys", + "searchKey": "name={{Create two new IAM users with API keys}}.{{community.aws.iam}}", + "searchValue": "", + "expectedValue": "iam should not be active for a root account", + "actualValue": "iam is active for a root account", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/route53_record_undefined/test/positive_expected_result.json b/assets/queries/ansible/aws/route53_record_undefined/test/positive_expected_result.json index f2880c7d7f9..6d262543ee7 100644 --- a/assets/queries/ansible/aws/route53_record_undefined/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/route53_record_undefined/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ - { - "queryName": "Route53 Record Undefined", - "severity": "HIGH", - "line": 3 - }, - { - "queryName": "Route53 Record Undefined", - "severity": "HIGH", - "line": 14 - } + { + "queryName": "Route53 Record Undefined", + "severity": "HIGH", + "line": 3, + "filename": "positive.yaml", + "resourceType": "community.aws.route53", + "resourceName": "Use a routing policy to distribute traffic02", + "searchKey": "name={{Use a routing policy to distribute traffic02}}.{{community.aws.route53}}", + "searchValue": "", + "expectedValue": "route53.value should be defined or not null", + "actualValue": "route53.value is undefined or null", + "issueType": "MissingAttribute" + }, + { + "queryName": "Route53 Record Undefined", + "severity": "HIGH", + "line": 14, + "filename": "positive.yaml", + "resourceType": "community.aws.route53", + "resourceName": "Use a routing policy to distribute traffic03", + "searchKey": "name={{Use a routing policy to distribute traffic03}}.{{community.aws.route53}}", + "searchValue": "", + "expectedValue": "route53.value should be defined or not null", + "actualValue": "route53.value is undefined or null", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json index a0c9e642dd8..8d18d451225 100644 --- a/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", "line": 4, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Create a simple s3 bucket with a policy", + "searchKey": "name={{Create a simple s3 bucket with a policy}}.{{amazon.aws.s3_bucket}}.policy", + "searchValue": "", + "expectedValue": "s3_bucket.policy.Statement shouldn't make the bucket accessible to all AWS Accounts", + "actualValue": "s3_bucket.policy.Statement does make the bucket accessible to all AWS Accounts", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json index 18d2e29c9e0..8a958995930 100644 --- a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "amazon.aws.aws_s3", + "resourceName": "Create an empty bucket", + "searchKey": "name={{Create an empty bucket}}.{{amazon.aws.aws_s3}}.permission", + "searchValue": "", + "expectedValue": "aws_s3 should not have read access for all user groups", + "actualValue": "aws_s3 has read access for all user groups", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", - "line": 11 + "line": 11, + "filename": "positive.yaml", + "resourceType": "amazon.aws.aws_s3", + "resourceName": "Create an empty bucket2", + "searchKey": "name={{Create an empty bucket2}}.{{amazon.aws.aws_s3}}.permission", + "searchValue": "", + "expectedValue": "aws_s3 should not have read access for all user groups", + "actualValue": "aws_s3 has read access for all user groups", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json index 87d25ea164a..59196d0d38d 100644 --- a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "amazon.aws.aws_s3", + "resourceName": "Create an empty bucket2", + "searchKey": "name={{Create an empty bucket2}}.{{amazon.aws.aws_s3}}.permission", + "searchValue": "", + "expectedValue": "aws_s3 should not have read access for all authenticated users", + "actualValue": "aws_s3 has read access for all authenticated users", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json index 06c2ef921aa..27e8bf1e73b 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 6, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Bucket", + "searchKey": "name={{Bucket}}.{{amazon.aws.s3_bucket}}.policy", + "searchValue": "", + "expectedValue": "s3_bucket[mys3bucket] should not allow Delete Action From All Principals", + "actualValue": "s3_bucket[mys3bucket] allows Delete Action From All Principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json index 8f1b3fbcadf..2368457dd01 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", "line": 6, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Bucket", + "searchKey": "name={{Bucket}}.{{amazon.aws.s3_bucket}}.policy", + "searchValue": "", + "expectedValue": "s3_bucket[mys3bucket] should not allow Get Action From All Principals", + "actualValue": "s3_bucket[mys3bucket] allows Get Action From All Principals", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json index 29ade8a428f..2a12619e07c 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", "line": 6, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Bucket", + "searchKey": "name={{Bucket}}.{{amazon.aws.s3_bucket}}.policy", + "searchValue": "", + "expectedValue": "s3_bucket[mys3bucket] should not allow List Action From All Principals", + "actualValue": "s3_bucket[mys3bucket] allows List Action From All Principals", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json index c876ed36f9f..26d4db06d34 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 6, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Bucket", + "searchKey": "name={{Bucket}}.{{amazon.aws.s3_bucket}}.policy", + "searchValue": "", + "expectedValue": "s3_bucket[mys3bucket] should not allow Put Action From All Principals", + "actualValue": "s3_bucket[mys3bucket] allows Put Action From All Principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_logging_disabled/test/positive_expected_result.json index 312ed116fe5..79718d74bcc 100644 --- a/assets/queries/ansible/aws/s3_bucket_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_logging_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "S3 Bucket Logging Disabled", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Create S3 bucket", + "searchKey": "name={{Create S3 bucket}}.{{amazon.aws.s3_bucket}}.debug_botocore_endpoint_logs", + "searchValue": "", + "expectedValue": "s3_bucket.debug_botocore_endpoint_logs should be true", + "actualValue": "s3_bucket.debug_botocore_endpoint_logs is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json index fafb06cc6bd..79a9924b077 100644 --- a/assets/queries/ansible/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "S3 Bucket With All Permissions", "severity": "CRITICAL", - "line": 5 + "line": 5, + "filename": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Create s3 bucket", + "searchKey": "name={{Create s3 bucket}}.{{amazon.aws.s3_bucket}}.policy", + "searchValue": "", + "expectedValue": "'policy.Statement' should not allow all actions to all principal", + "actualValue": "'policy.Statement' allows all actions to all principal", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_with_public_access/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_with_public_access/test/positive_expected_result.json index aa8f4a2d3a9..21814de4045 100644 --- a/assets/queries/ansible/aws/s3_bucket_with_public_access/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_with_public_access/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "S3 Bucket With Public Access", "severity": "CRITICAL", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "amazon.aws.aws_s3", + "resourceName": "Create an empty bucket", + "searchKey": "name={{Create an empty bucket}}.{{amazon.aws.aws_s3}}.permission", + "searchValue": "", + "expectedValue": "aws_s3.permission shouldn't allow public access", + "actualValue": "aws_s3.permission allows public access", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket With Public Access", "severity": "CRITICAL", - "line": 11 + "line": 11, + "filename": "positive.yaml", + "resourceType": "amazon.aws.aws_s3", + "resourceName": "Create an empty bucket 01", + "searchKey": "name={{Create an empty bucket 01}}.{{amazon.aws.aws_s3}}.permission", + "searchValue": "", + "expectedValue": "aws_s3.permission shouldn't allow public access", + "actualValue": "aws_s3.permission allows public access", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json index 92201a3d8d4..8311c1745b0 100644 --- a/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "community.aws.aws_s3_cors", + "resourceName": "Create s3 bucket2", + "searchKey": "name={{Create s3 bucket2}}.{{community.aws.aws_s3_cors}}.rules", + "searchValue": "", + "expectedValue": "community.aws.aws_s3_cors[0] should not allow all methods, all headers or several origins", + "actualValue": "community.aws.aws_s3_cors[0] allows all methods, all headers or several origins", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "aws_s3_cors", + "resourceName": "Create s3 bucket4", + "searchKey": "name={{Create s3 bucket4}}.{{aws_s3_cors}}.rules", + "searchValue": "", + "expectedValue": "aws_s3_cors[0] should not allow all methods, all headers or several origins", + "actualValue": "aws_s3_cors[0] allows all methods, all headers or several origins", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/test/positive_expected_result.json index 64fca39c902..08b1a9e210a 100644 --- a/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "S3 Bucket Without Server-side-encryption", "severity": "HIGH", - "line": 5 + "line": 5, + "filename": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Create a simple s3 bucket", + "searchKey": "name={{Create a simple s3 bucket}}.{{amazon.aws.s3_bucket}}.encryption", + "searchValue": "", + "expectedValue": "s3_bucket.encryption should not be 'none'", + "actualValue": "s3_bucket.encryption is 'none'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json index b92ee4c0630..c315c35fe24 100644 --- a/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "foo", + "searchKey": "name={{foo}}.{{amazon.aws.s3_bucket}}", + "searchValue": "", + "expectedValue": "s3_bucket should have versioning set to true", + "actualValue": "s3_bucket does not have versioning (defaults to false)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "foo2", + "searchKey": "name={{foo2}}.{{amazon.aws.s3_bucket}}.versioning", + "searchValue": "", + "expectedValue": "s3_bucket should have versioning set to true", + "actualValue": "s3_bucket does has versioning set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/secure_ciphers_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/secure_ciphers_disabled/test/positive_expected_result.json index 0c32f95eaa3..7233a540356 100644 --- a/assets/queries/ansible/aws/secure_ciphers_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/secure_ciphers_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Secure Ciphers Disabled", "severity": "MEDIUM", - "line": 14 + "line": 14, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "example", + "searchKey": "name={{example}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version", + "searchValue": "", + "expectedValue": "cloudfront_distribution.viewer_certificate.minimum_protocol_version should be TLSv1.1 or TLSv1.2", + "actualValue": "cloudfront_distribution.viewer_certificate.minimum_protocol_version isn't TLSv1.1 or TLSv1.2", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/security_group_ingress_not_restricted/test/positive_expected_result.json b/assets/queries/ansible/aws/security_group_ingress_not_restricted/test/positive_expected_result.json index 6f227d16122..f410ead625c 100644 --- a/assets/queries/ansible/aws/security_group_ingress_not_restricted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/security_group_ingress_not_restricted/test/positive_expected_result.json @@ -2,31 +2,79 @@ { "queryName": "Security Group Ingress Not Restricted", "severity": "HIGH", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] should be restricted", + "actualValue": "ec2_group.rules[0] is not restricted", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress Not Restricted", "severity": "HIGH", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[1] should be restricted", + "actualValue": "ec2_group.rules[1] is not restricted", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress Not Restricted", "severity": "HIGH", - "line": 16 + "line": 16, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[2] should be restricted", + "actualValue": "ec2_group.rules[2] is not restricted", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress Not Restricted", "severity": "HIGH", - "line": 27 + "line": 27, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group v2", + "searchKey": "name={{example ec2 group v2}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] should be restricted", + "actualValue": "ec2_group.rules[0] is not restricted", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress Not Restricted", "severity": "HIGH", - "line": 31 + "line": 31, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group v2", + "searchKey": "name={{example ec2 group v2}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[1] should be restricted", + "actualValue": "ec2_group.rules[1] is not restricted", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress Not Restricted", "severity": "HIGH", - "line": 35 + "line": 35, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group v2", + "searchKey": "name={{example ec2 group v2}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[2] should be restricted", + "actualValue": "ec2_group.rules[2] is not restricted", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json index 494b7d0ff8b..554b4aae4d9 100644 --- a/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] SSH' (Port:22) should not be public", + "actualValue": "ec2_group.rules[0] SSH' (Port:22) is public", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[1] SSH' (Port:22) should not be public", + "actualValue": "ec2_group.rules[1] SSH' (Port:22) is public", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 16 + "line": 16, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[2] SSH' (Port:22) should not be public", + "actualValue": "ec2_group.rules[2] SSH' (Port:22) is public", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json b/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json index 3f258837a38..545eb4c538e 100644 --- a/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "SES Policy With Allowed IAM Actions", "severity": "HIGH", "line": 5, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.aws_ses_identity_policy", + "resourceName": "add sending authorization policy to email identityyy", + "searchKey": "name={{add sending authorization policy to email identityyy}}.{{community.aws.aws_ses_identity_policy}}.policy", + "searchValue": "", + "expectedValue": "'policy' should not allow IAM actions to all principals", + "actualValue": "'policy' allows IAM actions to all principals", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json index 879a626a397..685ba248dee 100644 --- a/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ - { - "queryName": "SNS Topic is Publicly Accessible", - "severity": "CRITICAL", - "line": 23, - "fileName": "positive1.yaml" - }, - { - "queryName": "SNS Topic is Publicly Accessible", - "severity": "CRITICAL", - "line": 52, - "fileName": "positive1.yaml" - }, - { - "queryName": "SNS Topic is Publicly Accessible", - "severity": "CRITICAL", - "line": 23, - "fileName": "positive2.yaml" - }, - { - "queryName": "SNS Topic is Publicly Accessible", - "severity": "CRITICAL", - "line": 55, - "fileName": "positive2.yaml" - } + { + "queryName": "SNS Topic is Publicly Accessible", + "severity": "CRITICAL", + "line": 23, + "filename": "positive1.yaml", + "resourceType": "community.aws.sns_topic", + "resourceName": "Create alarm SNS topic community", + "searchKey": "name={{Create alarm SNS topic community}}.{{community.aws.sns_topic}}.policy", + "searchValue": "", + "expectedValue": "sns_topic.policy.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue" + }, + { + "queryName": "SNS Topic is Publicly Accessible", + "severity": "CRITICAL", + "line": 52, + "filename": "positive1.yaml", + "resourceType": "sns_topic", + "resourceName": "Create alarm SNS topic", + "searchKey": "name={{Create alarm SNS topic}}.{{sns_topic}}.policy", + "searchValue": "", + "expectedValue": "sns_topic.policy.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue" + }, + { + "queryName": "SNS Topic is Publicly Accessible", + "severity": "CRITICAL", + "line": 23, + "filename": "positive2.yaml", + "resourceType": "community.aws.sns_topic", + "resourceName": "Create alarm SNS topic community", + "searchKey": "name={{Create alarm SNS topic community}}.{{community.aws.sns_topic}}.policy", + "searchValue": "", + "expectedValue": "sns_topic.policy.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue" + }, + { + "queryName": "SNS Topic is Publicly Accessible", + "severity": "CRITICAL", + "line": 55, + "filename": "positive2.yaml", + "resourceType": "sns_topic", + "resourceName": "Create alarm SNS topic", + "searchKey": "name={{Create alarm SNS topic}}.{{sns_topic}}.policy", + "searchValue": "", + "expectedValue": "sns_topic.policy.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json index a3eb82d8f96..d772e5b0948 100644 --- a/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 9 + "line": 9, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example using security group rule descriptions", + "searchKey": "name={{example using security group rule descriptions}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", + "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 23 + "line": 23, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example using security group rule descriptions 2", + "searchKey": "name={{example using security group rule descriptions 2}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", + "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 37 + "line": 37, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example using security group rule descriptions 3", + "searchKey": "name={{example using security group rule descriptions 3}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", + "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 51 + "line": 51, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example using security group rule descriptions 4", + "searchKey": "name={{example using security group rule descriptions 4}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", + "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 65 + "line": 65, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example using security group rule descriptions 5", + "searchKey": "name={{example using security group rule descriptions 5}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", + "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json b/assets/queries/ansible/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json index c16a93df09f..c19cb955427 100644 --- a/assets/queries/ansible/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "SQS Policy Allows All Actions", "severity": "HIGH", "line": 10, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "Second SQS queue with policy", + "searchKey": "name={{Second SQS queue with policy}}.{{community.aws.sqs_queue}}.policy", + "searchValue": "", + "expectedValue": "sqs_queue.policy.Statement should not contain Action equal to '*'", + "actualValue": "sqs_queue.policy.Statement contains Action equal to '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/sqs_policy_with_public_access/test/positive_expected_result.json b/assets/queries/ansible/aws/sqs_policy_with_public_access/test/positive_expected_result.json index 0e7522dd585..4954f5f67c7 100644 --- a/assets/queries/ansible/aws/sqs_policy_with_public_access/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sqs_policy_with_public_access/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", "line": 10, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "First SQS queue with policy", + "searchKey": "name={{First SQS queue with policy}}.{{community.aws.sqs_queue}}.policy", + "searchValue": "", + "expectedValue": "sqs_queue.policy.Principal should not equal to '*'", + "actualValue": "sqs_queue.policy.Principal is equal to '*'", + "issueType": "IncorrectValue" }, { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", "line": 28, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "Second SQS queue with policy", + "searchKey": "name={{Second SQS queue with policy}}.{{community.aws.sqs_queue}}.policy", + "searchValue": "", + "expectedValue": "sqs_queue.policy.Principal should not equal to '*'", + "actualValue": "sqs_queue.policy.Principal is equal to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/sqs_queue_exposed/test/positive_expected_result.json b/assets/queries/ansible/aws/sqs_queue_exposed/test/positive_expected_result.json index f2422275416..8c785d4cb0a 100644 --- a/assets/queries/ansible/aws/sqs_queue_exposed/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sqs_queue_exposed/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "SQS Queue Exposed", "severity": "HIGH", "line": 10, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "example", + "searchKey": "name={{example}}.{{community.aws.sqs_queue}}.policy", + "searchValue": "", + "expectedValue": "sqs_queue.policy.Principal shouldn't get the queue publicly accessible", + "actualValue": "sqs_queue.policy.Principal does get the queue publicly accessible", + "issueType": "IncorrectValue" }, { "queryName": "SQS Queue Exposed", "severity": "HIGH", "line": 31, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "example with list", + "searchKey": "name={{example with list}}.{{community.aws.sqs_queue}}.policy", + "searchValue": "", + "expectedValue": "sqs_queue.policy.Principal shouldn't get the queue publicly accessible", + "actualValue": "sqs_queue.policy.Principal does get the queue publicly accessible", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json index 9508951fea5..ac8f4e7ff5a 100644 --- a/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json @@ -2,21 +2,53 @@ { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "Create SQS queue with redrive policy", + "searchKey": "name={{Create SQS queue with redrive policy}}.{{community.aws.sqs_queue}}.kms_master_key_id", + "searchValue": "", + "expectedValue": "'kms_master_key_id' should be set", + "actualValue": "'kms_master_key_id' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 16 + "line": 16, + "filename": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "Drop redrive policy", + "searchKey": "name={{Drop redrive policy}}.{{community.aws.sqs_queue}}.kms_master_key_id", + "searchValue": "", + "expectedValue": "'kms_master_key_id' should be set", + "actualValue": "'kms_master_key_id' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 22 + "line": 22, + "filename": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "Create FIFO queue", + "searchKey": "name={{Create FIFO queue}}.{{community.aws.sqs_queue}}.kms_master_key_id", + "searchValue": "", + "expectedValue": "'kms_master_key_id' should be set", + "actualValue": "'kms_master_key_id' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 29 + "line": 29, + "filename": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "Tag queue", + "searchKey": "name={{Tag queue}}.{{community.aws.sqs_queue}}.kms_master_key_id", + "searchValue": "", + "expectedValue": "'kms_master_key_id' should be set", + "actualValue": "'kms_master_key_id' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/ansible/aws/stack_notifications_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/stack_notifications_disabled/test/positive_expected_result.json index 092c000c61f..b245e36e0b8 100644 --- a/assets/queries/ansible/aws/stack_notifications_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/stack_notifications_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Stack Notifications Disabled", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "amazon.aws.cloudformation", + "resourceName": "create a stack, pass in the template via an URL", + "searchKey": "name={{create a stack, pass in the template via an URL}}.{{amazon.aws.cloudformation}}", + "searchValue": "", + "expectedValue": "cloudformation.notification_arns should be set", + "actualValue": "cloudformation.notification_arns is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/ansible/aws/stack_retention_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/stack_retention_disabled/test/positive_expected_result.json index 26d12a6c987..8c2d3e55650 100644 --- a/assets/queries/ansible/aws/stack_retention_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/stack_retention_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudformation_stack_set", + "resourceName": "Create a stack set with instances in two accounts", + "searchKey": "name={{Create a stack set with instances in two accounts}}.{{community.aws.cloudformation_stack_set}}", + "searchValue": "", + "expectedValue": "cloudformation_stack_set.purge_stacks should be set", + "actualValue": "cloudformation_stack_set.purge_stacks is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 23 + "line": 23, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudformation_stack_set", + "resourceName": "on subsequent calls, templates are optional but parameters and tags can be altered", + "searchKey": "name={{on subsequent calls, templates are optional but parameters and tags can be altered}}.{{community.aws.cloudformation_stack_set}}.purge_stacks", + "searchValue": "", + "expectedValue": "cloudformation_stack_set.purge_stacks should be set to false", + "actualValue": "cloudformation_stack_set.purge_stacks is true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/stack_without_template/test/positive_expected_result.json b/assets/queries/ansible/aws/stack_without_template/test/positive_expected_result.json index 45c13d3d70f..ea9b2347b26 100644 --- a/assets/queries/ansible/aws/stack_without_template/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/stack_without_template/test/positive_expected_result.json @@ -2,21 +2,53 @@ { "queryName": "Stack Without Template", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "amazon.aws.cloudformation", + "resourceName": "create a stack, pass in the template via an URL", + "searchKey": "name={{create a stack, pass in the template via an URL}}.{{amazon.aws.cloudformation}}", + "searchValue": "", + "expectedValue": "amazon.aws.cloudformation has template, template_body or template_url set", + "actualValue": "amazon.aws.cloudformation does not have template, template_body or template_url set", + "issueType": "MissingAttribute" }, { "queryName": "Stack Without Template", "severity": "LOW", - "line": 15 + "line": 15, + "filename": "positive.yaml", + "resourceType": "amazon.aws.cloudformation", + "resourceName": "create a stack, pass in the template via an URL v2", + "searchKey": "name={{create a stack, pass in the template via an URL v2}}.{{amazon.aws.cloudformation}}", + "searchValue": "", + "expectedValue": "amazon.aws.cloudformation should not have more than one of the attributes template, template_body and template_url set", + "actualValue": "amazon.aws.cloudformation has more than one of the attributes template, template_body and template_url set", + "issueType": "IncorrectValue" }, { "queryName": "Stack Without Template", "severity": "LOW", - "line": 30 + "line": 30, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudformation_stack_set", + "resourceName": "Create a stack set with instances in two accounts", + "searchKey": "name={{Create a stack set with instances in two accounts}}.{{community.aws.cloudformation_stack_set}}", + "searchValue": "", + "expectedValue": "community.aws.cloudformation_stack_set should not have more than one of the attributes template, template_body and template_url set", + "actualValue": "community.aws.cloudformation_stack_set has more than one of the attributes template, template_body and template_url set", + "issueType": "IncorrectValue" }, { "queryName": "Stack Without Template", "severity": "LOW", - "line": 40 + "line": 40, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudformation_stack_set", + "resourceName": "Create a stack set with instances in two accounts v2", + "searchKey": "name={{Create a stack set with instances in two accounts v2}}.{{community.aws.cloudformation_stack_set}}", + "searchValue": "", + "expectedValue": "community.aws.cloudformation_stack_set has template, template_body or template_url set", + "actualValue": "community.aws.cloudformation_stack_set does not have template, template_body or template_url set", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json b/assets/queries/ansible/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json index 05f6d2f3c8f..1028235e3aa 100644 --- a/assets/queries/ansible/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ - { - "queryName": "Unknown Port Exposed To Internet", - "severity": "HIGH", - "line": 9 - }, - { - "queryName": "Unknown Port Exposed To Internet", - "severity": "HIGH", - "line": 13 - } + { + "queryName": "Unknown Port Exposed To Internet", + "severity": "HIGH", + "line": 9, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] port_range should not contain unknown ports and should not be exposed to the entire Internet", + "actualValue": "ec2_group.rules[0] port_range contains unknown ports and are exposed to the entire Internet", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unknown Port Exposed To Internet", + "severity": "HIGH", + "line": 13, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[1] port_range should not contain unknown ports and should not be exposed to the entire Internet", + "actualValue": "ec2_group.rules[1] port_range contains unknown ports and are exposed to the entire Internet", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/aws/unrestricted_security_group_ingress/test/positive_expected_result.json b/assets/queries/ansible/aws/unrestricted_security_group_ingress/test/positive_expected_result.json index e600c057d23..b0cd51a29b5 100644 --- a/assets/queries/ansible/aws/unrestricted_security_group_ingress/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/unrestricted_security_group_ingress/test/positive_expected_result.json @@ -2,21 +2,53 @@ { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 14 + "line": 14, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example1", + "searchKey": "name={{example1}}.{{amazon.aws.ec2_group}}.rules.cidr_ip={{0.0.0.0/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules.cidr_ip should not contain the value '0.0.0.0/0'", + "actualValue": "ec2_group.rules.cidr_ip contains value '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 28 + "line": 28, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example2", + "searchKey": "name={{example2}}.{{amazon.aws.ec2_group}}.rules.cidr_ip.{{0.0.0.0/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules.cidr_ip should not contain the value '0.0.0.0/0'", + "actualValue": "ec2_group.rules.cidr_ip contains value '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 41 + "line": 41, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example3", + "searchKey": "name={{example3}}.{{amazon.aws.ec2_group}}.rules.cidr_ipv6={{::/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules.cidr_ipv6 should not contain the value '::/0'", + "actualValue": "ec2_group.rules.cidr_ipv6 contains value '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 55 + "line": 55, + "filename": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example4", + "searchKey": "name={{example4}}.{{amazon.aws.ec2_group}}.rules.cidr_ipv6.{{::/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules.cidr_ipv6 should not contain the value '::/0'", + "actualValue": "ec2_group.rules.cidr_ipv6 contains value '::/0'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json b/assets/queries/ansible/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json index 772c99ba9f8..712754b1752 100644 --- a/assets/queries/ansible/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "User Data Contains Encoded Private Key", - "severity": "HIGH", - "line": 9 - } + { + "queryName": "User Data Contains Encoded Private Key", + "severity": "HIGH", + "line": 9, + "filename": "positive.yaml", + "resourceType": "community.aws.ec2_lc", + "resourceName": "note that encrypted volumes are only supported in >= Ansible 2.4", + "searchKey": "name={{note that encrypted volumes are only supported in >= Ansible 2.4}}.{{community.aws.ec2_lc}}.user_data", + "searchValue": "", + "expectedValue": "ec2_lc.user_data should not contain RSA Private Key", + "actualValue": "ec2_lc.user_data contains RSA Private Key", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/test/positive_expected_result.json b/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/test/positive_expected_result.json index 7a3f75db184..b3d4f82a63a 100644 --- a/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", - "line": 20 + "line": 20, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "example1", + "searchKey": "name={{example1}}.{{community.aws.cloudfront_distribution}}.default_cache_behavior.viewer_protocol_policy", + "searchValue": "", + "expectedValue": "cloudfront_distribution.default_cache_behavior.viewer_protocol_policy should be 'https-only' or 'redirect-to-https'", + "actualValue": "cloudfront_distribution.default_cache_behavior.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue" }, { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", - "line": 50 + "line": 50, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "example2", + "searchKey": "name={{example2}}.{{community.aws.cloudfront_distribution}}.cache_behaviors.viewer_protocol_policy", + "searchValue": "", + "expectedValue": "cloudfront_distribution.cache_behaviors.viewer_protocol_policy should be 'https-only' or 'redirect-to-https'", + "actualValue": "cloudfront_distribution.cache_behaviors.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json b/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json index a319e98250d..a025b85998b 100644 --- a/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a basic distribution with defaults, tags and default SSL certificate", + "searchKey": "name={{create a basic distribution with defaults, tags and default SSL certificate}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.cloudfront_default_certificate", + "searchValue": "", + "expectedValue": "Attribute 'cloudfront_default_certificate' should be 'false' or not defined", + "actualValue": "Attribute 'cloudfront_default_certificate' is 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a basic distribution with defaults, tags and misconfigured custom SSL certificate", + "searchKey": "name={{create a basic distribution with defaults, tags and misconfigured custom SSL certificate}}.{{community.aws.cloudfront_distribution}}.viewer_certificate", + "searchValue": "minimum_protocol_version", + "expectedValue": "Attribute minimum_protocol_version should be defined when one of 'acm_certificate_arn' or 'iam_certificate_id' is declared.", + "actualValue": "Attribute 'minimum_protocol_version' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a basic distribution with defaults, tags and misconfigured custom SSL certificate", + "searchKey": "name={{create a basic distribution with defaults, tags and misconfigured custom SSL certificate}}.{{community.aws.cloudfront_distribution}}.viewer_certificate", + "searchValue": "ssl_support_method", + "expectedValue": "Attribute ssl_support_method should be defined when one of 'acm_certificate_arn' or 'iam_certificate_id' is declared.", + "actualValue": "Attribute 'ssl_support_method' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json b/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json index 85e34b71da8..8c1b6a39f2b 100644 --- a/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "AD Admin Not Configured For SQL Server", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "azure_rm_sqlserver", + "resourceName": "Create (or update) SQL Server", + "searchKey": "name={{Create (or update) SQL Server}}.{{azure_rm_sqlserver}}", + "searchValue": "", + "expectedValue": "azure_rm_sqlserver.ad_user should be defined", + "actualValue": "azure_rm_sqlserver.ad_user is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json b/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json index 8db54668eed..b1cae01e219 100644 --- a/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Admin User Enabled For Container Registry", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_containerregistry", + "resourceName": "Create an azure container registry", + "searchKey": "name={{Create an azure container registry}}.{{azure.azcollection.azure_rm_containerregistry}}.admin_user_enabled", + "searchValue": "", + "expectedValue": "azure_rm_containerregistry.admin_user_enabled should be false or undefined (defaults to false)", + "actualValue": "azure_rm_containerregistry.admin_user_enabled is true", + "issueType": "IncorrectValue" }, { "queryName": "Admin User Enabled For Container Registry", "severity": "MEDIUM", - "line": 17 + "line": 17, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_containerregistry", + "resourceName": "Create an azure container registry2", + "searchKey": "name={{Create an azure container registry2}}.{{azure.azcollection.azure_rm_containerregistry}}.admin_user_enabled", + "searchValue": "", + "expectedValue": "azure_rm_containerregistry.admin_user_enabled should be false or undefined (defaults to false)", + "actualValue": "azure_rm_containerregistry.admin_user_enabled is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/aks_monitoring_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/aks_monitoring_logging_disabled/test/positive_expected_result.json index 222abd325a6..f6858cba4c8 100644 --- a/assets/queries/ansible/azure/aks_monitoring_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/aks_monitoring_logging_disabled/test/positive_expected_result.json @@ -2,21 +2,53 @@ { "queryName": "AKS Monitoring Logging Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create an AKS instance v0", + "searchKey": "name={{Create an AKS instance v0}}.{{azure_rm_aks}}", + "searchValue": "", + "expectedValue": "azure_rm_aks.addon should be set", + "actualValue": "azure_rm_aks.addon is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Monitoring Logging Disabled", "severity": "MEDIUM", - "line": 43 + "line": 43, + "filename": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create an AKS instance", + "searchKey": "name={{Create an AKS instance}}.{{azure_rm_aks}}.addon", + "searchValue": "", + "expectedValue": "azure_rm_aks.addon.monitoring should be set", + "actualValue": "azure_rm_aks.addon.monitoring is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Monitoring Logging Disabled", "severity": "MEDIUM", - "line": 68 + "line": 68, + "filename": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create an AKS instance v3", + "searchKey": "name={{Create an AKS instance v3}}.{{azure_rm_aks}}.addon.monitoring", + "searchValue": "", + "expectedValue": "azure_rm_aks.addon.monitoring.{\"enabled\", \"log_analytics_workspace_resource_id\"} should be set", + "actualValue": "azure_rm_aks.addon.monitoring.{\"enabled\", \"log_analytics_workspace_resource_id\"} is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Monitoring Logging Disabled", "severity": "MEDIUM", - "line": 94 + "line": 94, + "filename": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create an AKS instance v9", + "searchKey": "name={{Create an AKS instance v9}}.{{azure_rm_aks}}.addon.monitoring.enabled", + "searchValue": "", + "expectedValue": "azure_rm_aks.addon.monitoring.enabled should be set to 'yes' or 'false'", + "actualValue": "azure_rm_aks.addon.monitoring.enabled is not set to 'yes' or 'false'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/azure/aks_network_policy_misconfigured/test/positive_expected_result.json b/assets/queries/ansible/azure/aks_network_policy_misconfigured/test/positive_expected_result.json index a9f6033dbaa..3c49a8c373b 100644 --- a/assets/queries/ansible/azure/aks_network_policy_misconfigured/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/aks_network_policy_misconfigured/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "AKS Network Policy Misconfigured", "severity": "LOW", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create a managed Azure Container Services (AKS) instance03", + "searchKey": "name={{Create a managed Azure Container Services (AKS) instance03}}.{{azure_rm_aks}}.network_profile.network_policy", + "searchValue": "", + "expectedValue": "Azure AKS cluster network policy should be either 'calico' or 'azure'", + "actualValue": "Azure AKS cluster network policy is istio", + "issueType": "IncorrectValue" }, { "queryName": "AKS Network Policy Misconfigured", "severity": "LOW", - "line": 24 + "line": 24, + "filename": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create a managed Azure Container Services (AKS) instance04", + "searchKey": "name={{Create a managed Azure Container Services (AKS) instance04}}.{{azure_rm_aks}}", + "searchValue": "", + "expectedValue": "Azure AKS cluster network profile should be defined", + "actualValue": "Azure AKS cluster network profile is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/aks_rbac_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/aks_rbac_disabled/test/positive_expected_result.json index 8d15a88670b..91400f7f3d8 100644 --- a/assets/queries/ansible/azure/aks_rbac_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/aks_rbac_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "AKS RBAC Disabled", "severity": "MEDIUM", - "line": 21 + "line": 21, + "filename": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create an AKS instance", + "searchKey": "name={{Create an AKS instance}}.{{azure_rm_aks}}.enable_rbac", + "searchValue": "", + "expectedValue": "azure_rm_aks.enable_rbac should be set to 'yes' or 'true'", + "actualValue": "azure_rm_aks.enable_rbac is not set to 'yes' or 'true'", + "issueType": "IncorrectValue" }, { "queryName": "AKS RBAC Disabled", "severity": "MEDIUM", - "line": 23 + "line": 23, + "filename": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create an AKS instance v2", + "searchKey": "name={{Create an AKS instance v2}}.{{azure_rm_aks}}", + "searchValue": "", + "expectedValue": "azure_rm_aks.enable_rbac should be defined", + "actualValue": "azure_rm_aks.enable_rbac is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/ansible/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json b/assets/queries/ansible/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json index 1129e0d6c75..8cb73e4f88a 100644 --- a/assets/queries/ansible/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Azure Container Registry With No Locks", "severity": "HIGH", "line": 2, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "azure_rm_containerregistry", + "resourceName": "Create an azure container registry", + "searchKey": "name={{Create an azure container registry}}.{{azure_rm_containerregistry}}", + "searchValue": "", + "expectedValue": "'azure_rm_containerregistry' should be referenced by an existing lock", + "actualValue": "'azure_rm_containerregistry' is not referenced by an existing lock", + "issueType": "IncorrectValue" }, { "queryName": "Azure Container Registry With No Locks", "severity": "HIGH", "line": 17, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "azure.azcollection.azure_rm_containerregistry", + "resourceName": "Create an azure container registry2", + "searchKey": "name={{Create an azure container registry2}}.{{azure.azcollection.azure_rm_containerregistry}}", + "searchValue": "", + "expectedValue": "'azure.azcollection.azure_rm_containerregistry' should be referenced by an existing lock", + "actualValue": "'azure.azcollection.azure_rm_containerregistry' is not referenced by an existing lock", + "issueType": "IncorrectValue" }, { "queryName": "Azure Container Registry With No Locks", "severity": "HIGH", "line": 2, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "azure.azcollection.azure_rm_containerregistry", + "resourceName": "Create an azure container registryy1", + "searchKey": "name={{Create an azure container registryy1}}.{{azure.azcollection.azure_rm_containerregistry}}", + "searchValue": "", + "expectedValue": "'azure.azcollection.azure_rm_containerregistry' should be referenced by an existing lock", + "actualValue": "'azure.azcollection.azure_rm_containerregistry' is not referenced by an existing lock", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json index 7f2e13b5a90..4da00e98480 100644 --- a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", "line": 1, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "azure_rm_virtualmachine", + "resourceName": "testvm001", + "searchKey": "azure_rm_virtualmachine[testvm001].ssh_public_keys", + "searchValue": "", + "expectedValue": "'azure_rm_virtualmachine[testvm001]' should be using SSH keys for authentication", + "actualValue": "'azure_rm_virtualmachine[testvm001]' is using username and password for authentication", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json b/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json index 0d8570fd156..6a30b93f871 100644 --- a/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "CosmosDB Account IP Range Filter Not Set", "severity": "CRITICAL", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "azure_rm_cosmosdbaccount", + "resourceName": "Create Cosmos DB Account - max", + "searchKey": "name={{Create Cosmos DB Account - max}}.{{azure_rm_cosmosdbaccount}}", + "searchValue": "", + "expectedValue": "'azurerm_cosmosdb_account.ip_range_filter' should be defined", + "actualValue": "'azurerm_cosmosdb_account.ip_range_filter' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/cosmosdb_account_without_tags/test/positive_expected_result.json b/assets/queries/ansible/azure/cosmosdb_account_without_tags/test/positive_expected_result.json index a1ef5db4746..9485ed12c88 100644 --- a/assets/queries/ansible/azure/cosmosdb_account_without_tags/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/cosmosdb_account_without_tags/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Cosmos DB Account Without Tags", "severity": "LOW", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "azure_rm_cosmosdbaccount", + "resourceName": "Create Cosmos DB Account - min", + "searchKey": "name={{Create Cosmos DB Account - min}}.{{azure_rm_cosmosdbaccount}}.tags", + "searchValue": "", + "expectedValue": "azure_rm_cosmosdbaccount.tags should be defined", + "actualValue": "azure_rm_cosmosdbaccount.tags is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json b/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json index 0a1c0773b32..7bd26df2499 100644 --- a/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", "line": 3, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account", + "searchKey": "name={{create an account}}.{{azure.azcollection.azure_rm_storageaccount}}", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.public_network_access should be set to 'Disabled'", + "actualValue": "azure_rm_storageaccount.public_network_access is set to 'Enabled'", + "issueType": "IncorrectValue" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", "line": 3, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account", + "searchKey": "name={{create an account}}.{{azure.azcollection.azure_rm_storageaccount}}", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.public_network_access should be set to 'Disabled'", + "actualValue": "azure_rm_storageaccount.public_network_access is not set (default is 'Enabled')", + "issueType": "MissingAttribute" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", "line": 3, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account", + "searchKey": "name={{create an account}}.{{azure.azcollection.azure_rm_storageaccount}}", + "searchValue": "", + "expectedValue": "azure_rm_storageaccountnetworkAcls.network_acls.default_action should be set to 'Deny'", + "actualValue": "azure_rm_storageaccountnetworkAcls.network_acls.default_action is set to 'Allow'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json b/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json index 29b80de7ead..a1dd69e166c 100644 --- a/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Firewall Rule Allows Too Many Hosts To Access Redis Cache", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "azure_rm_rediscachefirewallrule", + "resourceName": "too_many_hosts", + "searchKey": "name={{too_many_hosts}}.{{azure_rm_rediscachefirewallrule}}.start_ip_address", + "searchValue": "", + "expectedValue": "azure_rm_rediscachefirewallrule.start_ip_address and end_ip_address should allow up to 255 hosts", + "actualValue": "azure_rm_rediscachefirewallrule.start_ip_address and end_ip_address allow 65539 hosts", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/test/positive_expected_result.json index 188baf9b196..c75f4aa2600 100644 --- a/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Key Vault Soft Delete Is Disabled", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure_rm_keyvault", + "resourceName": "Create instance of Key Vault", + "searchKey": "name={{Create instance of Key Vault}}.{{azure_rm_keyvault}}.enable_soft_delete", + "searchValue": "", + "expectedValue": "azure_rm_keyvault.enable_soft_delete should be true", + "actualValue": "azure_rm_keyvault.enable_soft_delete is false", + "issueType": "IncorrectValue" }, { "queryName": "Key Vault Soft Delete Is Disabled", "severity": "MEDIUM", - "line": 18 + "line": 18, + "filename": "positive.yaml", + "resourceType": "azure_rm_keyvault", + "resourceName": "Create instance of Key Vault 02", + "searchKey": "name={{Create instance of Key Vault 02}}.{{azure_rm_keyvault}}", + "searchValue": "", + "expectedValue": "azure_rm_keyvault.enable_soft_delete should be defined", + "actualValue": "azure_rm_keyvault.enable_soft_delete is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/ansible/azure/log_retention_is_not_set/test/positive_expected_result.json b/assets/queries/ansible/azure/log_retention_is_not_set/test/positive_expected_result.json index 6295e41f7be..d0691b4c176 100644 --- a/assets/queries/ansible/azure/log_retention_is_not_set/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/log_retention_is_not_set/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Log Retention Is Not Set", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting", + "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should equal to 'on'", + "actualValue": "azure_rm_postgresqlconfiguration.value is not equal to 'on'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/test/positive_expected_result.json b/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/test/positive_expected_result.json index 43927abce46..ba0cb73fe4e 100644 --- a/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Monitoring Log Profile Without All Activities", "severity": "MEDIUM", - "line": 9 + "line": 9, + "filename": "positive.yaml", + "resourceType": "azure_rm_monitorlogprofile", + "resourceName": "Create a log profile", + "searchKey": "name={{Create a log profile}}.{{azure_rm_monitorlogprofile}}.categories", + "searchValue": "", + "expectedValue": "azure_rm_monitorlogprofile.categories should have all categories, Write, Action and Delete", + "actualValue": "azure_rm_monitorlogprofile.categories does not have all categories, Write, Action and Delete", + "issueType": "IncorrectValue" }, { "queryName": "Monitoring Log Profile Without All Activities", "severity": "MEDIUM", - "line": 21 + "line": 21, + "filename": "positive.yaml", + "resourceType": "azure_rm_monitorlogprofile", + "resourceName": "Create a log profile2", + "searchKey": "name={{Create a log profile2}}.{{azure_rm_monitorlogprofile}}", + "searchValue": "", + "expectedValue": "azure_rm_monitorlogprofile.categories should be defined", + "actualValue": "azure_rm_monitorlogprofile.categories is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/ansible/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json index a9e5e06cdb7..10d7cea04db 100644 --- a/assets/queries/ansible/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "MySQL SSL Connection Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_mysqlserver", + "resourceName": "Create (or update) MySQL Server", + "searchKey": "name={{Create (or update) MySQL Server}}.{{azure.azcollection.azure_rm_mysqlserver}}", + "searchValue": "", + "expectedValue": "azure_rm_mysqlserver should have enforce_ssl set to true", + "actualValue": "azure_rm_mysqlserver does not have enforce_ssl (defaults to false)", + "issueType": "MissingAttribute" }, { "queryName": "MySQL SSL Connection Disabled", "severity": "MEDIUM", - "line": 23 + "line": 23, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_mysqlserver", + "resourceName": "Create (or update) MySQL Server2", + "searchKey": "name={{Create (or update) MySQL Server2}}.{{azure.azcollection.azure_rm_mysqlserver}}.enforce_ssl", + "searchValue": "", + "expectedValue": "azure_rm_mysqlserver should have enforce_ssl set to true", + "actualValue": "azure_rm_mysqlserver does has enforce_ssl set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json index c9faef24c34..0af0e3ffcae 100644 --- a/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json @@ -2,31 +2,79 @@ { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting", + "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting2", + "searchKey": "name={{Update PostgreSQL Server setting2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 19 + "line": 19, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting3", + "searchKey": "name={{Update PostgreSQL Server setting3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 25 + "line": 25, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting4", + "searchKey": "name={{Update PostgreSQL Server setting4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting5", + "searchKey": "name={{Update PostgreSQL Server setting5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 37 + "line": 37, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting6", + "searchKey": "name={{Update PostgreSQL Server setting6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/azure/postgresql_log_connections_not_set/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_log_connections_not_set/test/positive_expected_result.json index dfe5d144763..7cd010b9106 100644 --- a/assets/queries/ansible/azure/postgresql_log_connections_not_set/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/postgresql_log_connections_not_set/test/positive_expected_result.json @@ -2,31 +2,79 @@ { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting", + "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting2", + "searchKey": "name={{Update PostgreSQL Server setting2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 19 + "line": 19, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting3", + "searchKey": "name={{Update PostgreSQL Server setting3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 25 + "line": 25, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting4", + "searchKey": "name={{Update PostgreSQL Server setting4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting5", + "searchKey": "name={{Update PostgreSQL Server setting5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 37 + "line": 37, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting6", + "searchKey": "name={{Update PostgreSQL Server setting6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json index d3675e682a1..4a70105cdde 100644 --- a/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json @@ -2,31 +2,79 @@ { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting", + "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting2", + "searchKey": "name={{Update PostgreSQL Server setting2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 19 + "line": 19, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting3", + "searchKey": "name={{Update PostgreSQL Server setting3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 25 + "line": 25, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting4", + "searchKey": "name={{Update PostgreSQL Server setting4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting5", + "searchKey": "name={{Update PostgreSQL Server setting5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 37 + "line": 37, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting6", + "searchKey": "name={{Update PostgreSQL Server setting6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/azure/postgresql_log_duration_not_set/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_log_duration_not_set/test/positive_expected_result.json index 86f29653a21..fb246bf0c50 100644 --- a/assets/queries/ansible/azure/postgresql_log_duration_not_set/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/postgresql_log_duration_not_set/test/positive_expected_result.json @@ -2,31 +2,79 @@ { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "example1", + "searchKey": "name={{example1}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "example2", + "searchKey": "name={{example2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 18 + "line": 18, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "example3", + "searchKey": "name={{example3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 24 + "line": 24, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "example4", + "searchKey": "name={{example4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 30 + "line": 30, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "example5", + "searchKey": "name={{example5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 36 + "line": 36, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "example6", + "searchKey": "name={{example6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json index ded293c1435..b9135ff3ba5 100644 --- a/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json @@ -2,31 +2,79 @@ { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting", + "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting2", + "searchKey": "name={{Update PostgreSQL Server setting2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 19 + "line": 19, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting3", + "searchKey": "name={{Update PostgreSQL Server setting3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 25 + "line": 25, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting4", + "searchKey": "name={{Update PostgreSQL Server setting4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting5", + "searchKey": "name={{Update PostgreSQL Server setting5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 37 + "line": 37, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting6", + "searchKey": "name={{Update PostgreSQL Server setting6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/azure/public_storage_account/test/positive_expected_result.json b/assets/queries/ansible/azure/public_storage_account/test/positive_expected_result.json index 95adb340371..272fd79464d 100644 --- a/assets/queries/ansible/azure/public_storage_account/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/public_storage_account/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 9 - }, - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 19 - } + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 9, + "filename": "positive.yaml", + "resourceType": "azure_rm_storageaccount", + "resourceName": "configure firewall and virtual networks", + "searchKey": "name={{configure firewall and virtual networks}}.{{azure_rm_storageaccount}}.network_acls.ip_rules", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.network_acls.default_action should be set to 'Deny' and azure_rm_storageaccount.network_acls.ip_rules should not contain value '0.0.0.0/0' ", + "actualValue": "azure_rm_storageaccount.network_acls.default_action is 'Deny' and azure_rm_storageaccount.network_acls.ip_rules contains value '0.0.0.0/0'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 19, + "filename": "positive.yaml", + "resourceType": "azure_rm_storageaccount", + "resourceName": "configure firewall and more virtual networks", + "searchKey": "name={{configure firewall and more virtual networks}}.{{azure_rm_storageaccount}}.network_acls.default_action", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.network_acls.default_action should not be set", + "actualValue": "azure_rm_storageaccount.network_acls.default_action is 'Allow'", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json b/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json index 34ebe756b7d..5a03ddf7cd4 100644 --- a/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Redis Cache Allows Non SSL Connections", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.yaml", + "resourceType": "azure_rm_rediscache", + "resourceName": "Non SSl Allowed", + "searchKey": "name={{Non SSl Allowed}}.{{azure_rm_rediscache}}.enable_non_ssl_port", + "searchValue": "", + "expectedValue": "azure_rm_rediscache.enable_non_ssl_port should be set to false or undefined", + "actualValue": "azure_rm_rediscache.enable_non_ssl_port is true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/azure/redis_entirely_accessible/test/positive_expected_result.json b/assets/queries/ansible/azure/redis_entirely_accessible/test/positive_expected_result.json index f04cd803160..fe42c283027 100644 --- a/assets/queries/ansible/azure/redis_entirely_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/redis_entirely_accessible/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Redis Entirely Accessible", "severity": "CRITICAL", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure_rm_rediscachefirewallrule", + "resourceName": "Create a Firewall rule for Azure Cache for Redis", + "searchKey": "name={{Create a Firewall rule for Azure Cache for Redis}}.{{azure_rm_rediscachefirewallrule}}.start_ip_address", + "searchValue": "", + "expectedValue": "azure_rm_rediscachefirewallrule start_ip and end_ip should not equal to '0.0.0.0'", + "actualValue": "azure_rm_rediscachefirewallrule start_ip and end_ip are equal to '0.0.0.0'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/redis_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/azure/redis_publicly_accessible/test/positive_expected_result.json index bc5829b31c7..f95b9929390 100644 --- a/assets/queries/ansible/azure/redis_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/redis_publicly_accessible/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Redis Publicly Accessible", "severity": "CRITICAL", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure_rm_rediscachefirewallrule", + "resourceName": "Create a Firewall rule for Azure Cache for Redis", + "searchKey": "name={{Create a Firewall rule for Azure Cache for Redis}}.{{azure_rm_rediscachefirewallrule}}.start_ip_address", + "searchValue": "", + "expectedValue": "azure_rm_rediscachefirewallrule ip range should be private", + "actualValue": "azure_rm_rediscachefirewallrule ip range is public", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json b/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json index ac9202cc9b3..88d016f1c58 100644 --- a/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Role Definition Allows Custom Role Creation", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "azure_rm_roledefinition", + "resourceName": "Create a role definition", + "searchKey": "name={{Create a role definition}}.{{azure_rm_roledefinition}}.permissions.actions", + "searchValue": "", + "expectedValue": "azure_rm_roledefinition.permissions[0].actions should not allow custom role creation", + "actualValue": "azure_rm_roledefinition.permissions[0].actions allows custom role creation", + "issueType": "IncorrectValue" }, { "queryName": "Role Definition Allows Custom Role Creation", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "azure_rm_roledefinition", + "resourceName": "Create a role definition2", + "searchKey": "name={{Create a role definition2}}.{{azure_rm_roledefinition}}.permissions.actions", + "searchValue": "", + "expectedValue": "azure_rm_roledefinition.permissions[0].actions should not allow custom role creation", + "actualValue": "azure_rm_roledefinition.permissions[0].actions allows custom role creation", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/azure/security_group_is_not_configured/test/positive_expected_result.json b/assets/queries/ansible/azure/security_group_is_not_configured/test/positive_expected_result.json index d0ea6a501f6..86a65ef6fe7 100644 --- a/assets/queries/ansible/azure/security_group_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/security_group_is_not_configured/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "azure_rm_subnet", + "resourceName": "Create a subnet1", + "searchKey": "name={{Create a subnet1}}.{{azure_rm_subnet}}", + "searchValue": "", + "expectedValue": "azure_rm_subnet.security_group should be defined and not null", + "actualValue": "azure_rm_subnet.security_group is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 9 + "line": 9, + "filename": "positive.yaml", + "resourceType": "azure_rm_subnet", + "resourceName": "Create a subnet2", + "searchKey": "name={{Create a subnet2}}.{{azure_rm_subnet}}", + "searchValue": "", + "expectedValue": "azure_rm_subnet.security_group should be defined and not null", + "actualValue": "azure_rm_subnet.security_group is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 16 + "line": 16, + "filename": "positive.yaml", + "resourceType": "azure_rm_subnet", + "resourceName": "Create a subnet3", + "searchKey": "name={{Create a subnet3}}.{{azure_rm_subnet}}", + "searchValue": "", + "expectedValue": "azure_rm_subnet.security_group should be defined and not null", + "actualValue": "azure_rm_subnet.security_group is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 28 + "line": 28, + "filename": "positive.yaml", + "resourceType": "azure_rm_subnet", + "resourceName": "Create a subnet4", + "searchKey": "name={{Create a subnet4}}.{{azure_rm_subnet}}.security_group", + "searchValue": "", + "expectedValue": "azure_rm_subnet.security_group should not be empty", + "actualValue": "azure_rm_subnet.security_group is empty", + "issueType": "IncorrectValue" }, { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 35 + "line": 35, + "filename": "positive.yaml", + "resourceType": "azure_rm_subnet", + "resourceName": "Create a subnet5", + "searchKey": "name={{Create a subnet5}}.{{azure_rm_subnet}}.security_group_name", + "searchValue": "", + "expectedValue": "azure_rm_subnet.security_group_name should not be empty", + "actualValue": "azure_rm_subnet.security_group_name is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index 14b473342aa..c0c74d8520a 100644 --- a/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -2,221 +2,573 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 13 + "line": 13, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo1", + "searchKey": "name={{foo1}}.{{azure_rm_securitygroup}}.rules.name={{example1}}.destination_port_range", + "searchValue": "UDP,61621", + "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", + "actualValue": "Cassandra OpsCenter (UDP:61621) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 27 + "line": 27, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo2", + "searchKey": "name={{foo2}}.{{azure_rm_securitygroup}}.rules.name={{example2}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 27 + "line": 27, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo2", + "searchKey": "name={{foo2}}.{{azure_rm_securitygroup}}.rules.name={{example2}}.destination_port_range", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41 + "line": 41, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41 + "line": 41, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41 + "line": 41, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41 + "line": 41, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41 + "line": 41, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41 + "line": 41, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 55 + "line": 55, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo4", + "searchKey": "name={{foo4}}.{{azure_rm_securitygroup}}.rules.name={{example4}}.destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 55 + "line": 55, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo4", + "searchKey": "name={{foo4}}.{{azure_rm_securitygroup}}.rules.name={{example4}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 69 + "line": 69, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo5", + "searchKey": "name={{foo5}}.{{azure_rm_securitygroup}}.rules.name={{example5}}.destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 85 + "line": 85, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo6", + "searchKey": "name={{foo6}}.{{azure_rm_securitygroup}}.rules.name={{example6}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 99 + "line": 99, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo7", + "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 99 + "line": 99, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo7", + "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 99 + "line": 99, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo7", + "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 99 + "line": 99, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo7", + "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 113 + "line": 113, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo8", + "searchKey": "name={{foo8}}.{{azure_rm_securitygroup}}.rules.name={{example8}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 130 + "line": 130, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example9}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 130 + "line": 130, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example9}}.destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP:80) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP:53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP:20) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP:20) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP:80) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP:135) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP:135) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "filename": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/azure/small_activity_log_retention_period/test/positive_expected_result.json b/assets/queries/ansible/azure/small_activity_log_retention_period/test/positive_expected_result.json index 5282ba8c326..81044c16b19 100644 --- a/assets/queries/ansible/azure/small_activity_log_retention_period/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/small_activity_log_retention_period/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Small Activity Log Retention Period", "severity": "LOW", - "line": 13 + "line": 13, + "filename": "positive.yaml", + "resourceType": "azure_rm_monitorlogprofile", + "resourceName": "Create a log profile", + "searchKey": "name={{Create a log profile}}.{{azure_rm_monitorlogprofile}}.retention_policy.enabled", + "searchValue": "", + "expectedValue": "azure_rm_monitorlogprofile.retention_policy.enabled should be true or yes", + "actualValue": "azure_rm_monitorlogprofile.retention_policy.enabled is false or no", + "issueType": "IncorrectValue" }, { "queryName": "Small Activity Log Retention Period", "severity": "LOW", - "line": 20 + "line": 20, + "filename": "positive.yaml", + "resourceType": "azure_rm_monitorlogprofile", + "resourceName": "Create a log profile2", + "searchKey": "name={{Create a log profile2}}.{{azure_rm_monitorlogprofile}}", + "searchValue": "", + "expectedValue": "azure_rm_monitorlogprofile.retention_policy should be defined", + "actualValue": "azure_rm_monitorlogprofile.retention_policy is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Small Activity Log Retention Period", "severity": "LOW", - "line": 46 + "line": 46, + "filename": "positive.yaml", + "resourceType": "azure_rm_monitorlogprofile", + "resourceName": "Create a log profile3", + "searchKey": "name={{Create a log profile3}}.{{azure_rm_monitorlogprofile}}.retention_policy.days", + "searchValue": "", + "expectedValue": "azure_rm_monitorlogprofile.retention_policy.days should be greater than or equal to 365 days or 0 (indefinitely)", + "actualValue": "azure_rm_monitorlogprofile.retention_policy.days is less than 365 days or different than 0 (indefinitely)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json b/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json index 31a8c77cc01..ac0f797aa34 100644 --- a/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_sqlfirewallrule", + "resourceName": "Create (or update) Firewall Rule", + "searchKey": "name={{Create (or update) Firewall Rule}}.{{azure.azcollection.azure_rm_sqlfirewallrule}}.end_ip_address", + "searchValue": "", + "expectedValue": "azure_rm_sqlfirewallrule should allow all IPs", + "actualValue": "azure_rm_sqlfirewallrule should not allow all IPs (range from start_ip_address to end_ip_address)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json b/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json index abfcd251cad..5e64fa09903 100644 --- a/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "SQL Server Predictable Active Directory Account Name", "severity": "LOW", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure_ad_serviceprincipal", + "resourceName": "create ad sp", + "searchKey": "name={{create ad sp}}.{{azure_ad_serviceprincipal}}.ad_user", + "searchValue": "", + "expectedValue": "azure_ad_serviceprincipal.ad_user should not be predictable", + "actualValue": "azure_ad_serviceprincipal.ad_user is predictable", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Predictable Active Directory Account Name", "severity": "LOW", - "line": 13 + "line": 13, + "filename": "positive.yaml", + "resourceType": "azure_ad_serviceprincipal", + "resourceName": "create ad sp2", + "searchKey": "name={{create ad sp2}}.{{azure_ad_serviceprincipal}}.ad_user", + "searchValue": "", + "expectedValue": "azure_ad_serviceprincipal.ad_user should be neither empty nor null", + "actualValue": "azure_ad_serviceprincipal.ad_user is empty or null", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Predictable Active Directory Account Name", "severity": "LOW", - "line": 19 + "line": 19, + "filename": "positive.yaml", + "resourceType": "azure_ad_serviceprincipal", + "resourceName": "create ad sp3", + "searchKey": "name={{create ad sp3}}.{{azure_ad_serviceprincipal}}.ad_user", + "searchValue": "", + "expectedValue": "azure_ad_serviceprincipal.ad_user should be neither empty nor null", + "actualValue": "azure_ad_serviceprincipal.ad_user is empty or null", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json b/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json index ce8105939d3..7b6d66ee713 100644 --- a/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "SQL Server Predictable Admin Account Name", "severity": "LOW", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure_rm_sqlserver", + "resourceName": "Create (or update) SQL Server1", + "searchKey": "name={{Create (or update) SQL Server1}}.{{azure_rm_sqlserver}}.admin_username", + "searchValue": "", + "expectedValue": "azure_rm_sqlserver.admin_username should not be empty", + "actualValue": "azure_rm_sqlserver.admin_username is empty", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Predictable Admin Account Name", "severity": "LOW", - "line": 14 + "line": 14, + "filename": "positive.yaml", + "resourceType": "azure_rm_sqlserver", + "resourceName": "Create (or update) SQL Server2", + "searchKey": "name={{Create (or update) SQL Server2}}.{{azure_rm_sqlserver}}.admin_username", + "searchValue": "", + "expectedValue": "azure_rm_sqlserver.admin_username should not be empty", + "actualValue": "azure_rm_sqlserver.admin_username is empty", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Predictable Admin Account Name", "severity": "LOW", - "line": 21 + "line": 21, + "filename": "positive.yaml", + "resourceType": "azure_rm_sqlserver", + "resourceName": "Create (or update) SQL Server3", + "searchKey": "name={{Create (or update) SQL Server3}}.{{azure_rm_sqlserver}}.admin_username", + "searchValue": "", + "expectedValue": "azure_rm_sqlserver.admin_username should not be predictable", + "actualValue": "azure_rm_sqlserver.admin_username is predictable", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/ssl_enforce_is_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/ssl_enforce_is_disabled/test/positive_expected_result.json index a0427e72698..4d4c2d9a8fe 100644 --- a/assets/queries/ansible/azure/ssl_enforce_is_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/ssl_enforce_is_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "SSL Enforce Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlserver", + "resourceName": "Create (or update) PostgreSQL Server", + "searchKey": "name={{Create (or update) PostgreSQL Server}}.{{azure.azcollection.azure_rm_postgresqlserver}}", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlserver should have enforce_ssl set to true", + "actualValue": "azure_rm_postgresqlserver does not have enforce_ssl (defaults to false)", + "issueType": "MissingAttribute" }, { "queryName": "SSL Enforce Disabled", "severity": "MEDIUM", - "line": 21 + "line": 21, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlserver", + "resourceName": "Create (or update) PostgreSQL Server2", + "searchKey": "name={{Create (or update) PostgreSQL Server2}}.{{azure.azcollection.azure_rm_postgresqlserver}}.enforce_ssl", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlserver should have enforce_ssl set to true", + "actualValue": "azure_rm_postgresqlserver does has enforce_ssl set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/storage_account_not_forcing_https/test/positive_expected_result.json b/assets/queries/ansible/azure/storage_account_not_forcing_https/test/positive_expected_result.json index 571578e12dc..80c01465350 100644 --- a/assets/queries/ansible/azure/storage_account_not_forcing_https/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/storage_account_not_forcing_https/test/positive_expected_result.json @@ -2,46 +2,118 @@ { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account", + "searchKey": "name={{create an account}}.{{azure.azcollection.azure_rm_storageaccount}}", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.https_only should be defined", + "actualValue": "azure_rm_storageaccount.https_only is undefined (defaults to false)", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account2", + "searchKey": "name={{create an account2}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 24 + "line": 24, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account3", + "searchKey": "name={{create an account3}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 33 + "line": 33, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account4", + "searchKey": "name={{create an account4}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 42 + "line": 42, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account5", + "searchKey": "name={{create an account5}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 51 + "line": 51, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account6", + "searchKey": "name={{create an account6}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 60 + "line": 60, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account7", + "searchKey": "name={{create an account7}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 69 + "line": 69, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account8", + "searchKey": "name={{create an account8}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 78 + "line": 78, + "filename": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account9", + "searchKey": "name={{create an account9}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json index b46384e752e..41db9294327 100644 --- a/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ - { - "queryName": "Storage Account Not Using Latest TLS Encryption Version", - "severity": "MEDIUM", - "line": 8 - }, - { - "queryName": "Storage Account Not Using Latest TLS Encryption Version", - "severity": "MEDIUM", - "line": 12 - } + { + "queryName": "Storage Account Not Using Latest TLS Encryption Version", + "severity": "MEDIUM", + "line": 8, + "filename": "positive.yaml", + "resourceType": "azure_rm_storageaccount", + "resourceName": "Create an account with kind of FileStorage", + "searchKey": "name={{Create an account with kind of FileStorage}}.{{azure_rm_storageaccount}}.minimum_tls_version", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should be using the latest version of TLS encryption", + "actualValue": "azure_rm_storageaccount is using version TLS1_0 of TLS encryption", + "issueType": "IncorrectValue" + }, + { + "queryName": "Storage Account Not Using Latest TLS Encryption Version", + "severity": "MEDIUM", + "line": 12, + "filename": "positive.yaml", + "resourceType": "azure_rm_storageaccount", + "resourceName": "Create a second account with kind of FileStorage", + "searchKey": "name={{Create a second account with kind of FileStorage}}.{{azure_rm_storageaccount}}", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.minimum_tls_version should be defined", + "actualValue": "azure_rm_storageaccount.minimum_tls_version is undefined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json index b27a116746e..9e2c5d46bdb 100644 --- a/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Storage Container Is Publicly Accessible", "severity": "HIGH", - "line": 9 + "line": 9, + "filename": "positive.yaml", + "resourceType": "azure_rm_storageblob", + "resourceName": "Create container foo and upload a file", + "searchKey": "name={{Create container foo and upload a file}}.{{azure_rm_storageblob}}.public_access", + "searchValue": "", + "expectedValue": "azure_rm_storageblob.public_access should not be set", + "actualValue": "azure_rm_storageblob.public_access is equal to 'blob' or 'container'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Container Is Publicly Accessible", "severity": "HIGH", - "line": 17 + "line": 17, + "filename": "positive.yaml", + "resourceType": "azure_rm_storageblob", + "resourceName": "Create container foo2 and upload a file", + "searchKey": "name={{Create container foo2 and upload a file}}.{{azure_rm_storageblob}}.public_access", + "searchValue": "", + "expectedValue": "azure_rm_storageblob.public_access should not be set", + "actualValue": "azure_rm_storageblob.public_access is equal to 'blob' or 'container'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json b/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json index 3d9d3360063..c7750fdb0c1 100644 --- a/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure_rm_storageaccount", + "resourceName": "configure firewall and virtual networks", + "searchKey": "name={{configure firewall and virtual networks}}.{{azure_rm_storageaccount}}.network_acls.bypass", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.network_acls.bypass should not be set or contain 'AzureServices'", + "actualValue": "azure_rm_storageaccount.network_acls.bypass does not contain 'AzureServices' ", + "issueType": "IncorrectValue" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 24 + "line": 24, + "filename": "positive.yaml", + "resourceType": "azure_rm_storageaccount", + "resourceName": "configure firewall and virtual networks2", + "searchKey": "name={{configure firewall and virtual networks2}}.{{azure_rm_storageaccount}}.network_acls.bypass", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.network_acls.bypass should not be set or contain 'AzureServices'", + "actualValue": "azure_rm_storageaccount.network_acls.bypass does not contain 'AzureServices' ", + "issueType": "IncorrectValue" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 40 + "line": 40, + "filename": "positive.yaml", + "resourceType": "azure_rm_storageaccount", + "resourceName": "configure firewall and virtual networks3", + "searchKey": "name={{configure firewall and virtual networks3}}.{{azure_rm_storageaccount}}.network_acls.bypass", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.network_acls.bypass should not be set or contain 'AzureServices'", + "actualValue": "azure_rm_storageaccount.network_acls.bypass does not contain 'AzureServices' ", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/unrestricted_sql_server_acess/test/positive_expected_result.json b/assets/queries/ansible/azure/unrestricted_sql_server_acess/test/positive_expected_result.json index 44cefe27131..cd2de87491a 100644 --- a/assets/queries/ansible/azure/unrestricted_sql_server_acess/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/unrestricted_sql_server_acess/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "azure_rm_sqlfirewallrule", + "resourceName": "Create (or update) Firewall Rule1", + "searchKey": "name={{Create (or update) Firewall Rule1}}.{{azure_rm_sqlfirewallrule}}", + "searchValue": "", + "expectedValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address should be less than 256", + "actualValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "azure_rm_sqlfirewallrule", + "resourceName": "Create (or update) Firewall Rule2", + "searchKey": "name={{Create (or update) Firewall Rule2}}.{{azure_rm_sqlfirewallrule}}", + "searchValue": "", + "expectedValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address should be less than 256", + "actualValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address is greater than or equal to 256", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/vm_not_attached_to_network/test/positive_expected_result.json b/assets/queries/ansible/azure/vm_not_attached_to_network/test/positive_expected_result.json index 0c333d3f99e..d75b8c1b79c 100644 --- a/assets/queries/ansible/azure/vm_not_attached_to_network/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/vm_not_attached_to_network/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "VM Not Attached To Network", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "azure_rm_virtualmachine", + "resourceName": "Create a VM with a custom image", + "searchKey": "name={{Create a VM with a custom image}}.{{azure_rm_virtualmachine}}", + "searchValue": "", + "expectedValue": "azure_rm_virtualmachine.network_interface_names should be defined", + "actualValue": "azure_rm_virtualmachine.network_interface_names is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json b/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json index 22b5f2f5a9e..629671cc233 100644 --- a/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "WAF Is Disabled For Azure Application Gateway", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "azure_rm_appgateway", + "resourceName": "Create instance of Application Gateway", + "searchKey": "name={{Create instance of Application Gateway}}.{{azure_rm_appgateway}}.sku.tier", + "searchValue": "", + "expectedValue": "azure_rm_appgateway.sku.tier should be 'waf' or 'waf_v2'", + "actualValue": "azure_rm_appgateway.sku.tier is standard", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json b/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json index fe2ba76306d..206f17b8718 100644 --- a/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.yaml", + "resourceType": "azure_rm_webapp", + "resourceName": "Create a windows web app with non-exist app service plan", + "searchKey": "name={{Create a windows web app with non-exist app service plan}}.{{azure_rm_webapp}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_webapp.https_only should be set to true or 'yes'", + "actualValue": "azure_rm_webapp.https_only value is 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "azure_rm_webapp", + "resourceName": "Create another windows web app", + "searchKey": "name={{Create another windows web app}}.{{azure_rm_webapp}}", + "searchValue": "", + "expectedValue": "azure_rm_webapp.https_only should be defined", + "actualValue": "azure_rm_webapp.https_only is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/test/positive_expected_result.json b/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/test/positive_expected_result.json index ab2ceef570a..4f2765c0f8a 100644 --- a/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/test/positive_expected_result.json +++ b/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "Allow Unsafe Lookups Enabled In Defaults", - "severity": "HIGH", - "line": 19 - } + { + "queryName": "Allow Unsafe Lookups Enabled In Defaults", + "severity": "HIGH", + "line": 19, + "filename": "positive1.cfg", + "resourceType": "n/a", + "resourceName": "defaults", + "searchKey": "defaults.allow_unsafe_lookups", + "searchValue": "", + "expectedValue": "allow_unsafe_lookups should be set to 'False'", + "actualValue": "allow_unsafe_lookups is set to 'True'", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/config/communication_over_http_in_defaults/test/positive_expected_result.json b/assets/queries/ansible/config/communication_over_http_in_defaults/test/positive_expected_result.json index af3bb39b39d..9123c1a6d5b 100644 --- a/assets/queries/ansible/config/communication_over_http_in_defaults/test/positive_expected_result.json +++ b/assets/queries/ansible/config/communication_over_http_in_defaults/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "Communication Over HTTP In Defaults", - "severity": "MEDIUM", - "line": 5 - } + { + "queryName": "Communication Over HTTP In Defaults", + "severity": "MEDIUM", + "line": 5, + "filename": "positive1.cfg", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "[galaxy].server", + "searchValue": "", + "expectedValue": "'server' from galaxy group should be accessed via the HTTPS protocol", + "actualValue": "'server' from galaxy group is accessed via the HTTP protocol'", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/test/positive_expected_result.json b/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/test/positive_expected_result.json index 4236128659b..174d635e4b7 100644 --- a/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/test/positive_expected_result.json +++ b/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Logging of Sensitive Data In Defaults", - "severity": "LOW", - "filename": "positive1.cfg", - "line": 1 - }, - { - "queryName": "Logging of Sensitive Data In Defaults", - "severity": "LOW", - "filename": "positive2.cfg", - "line": 39 - } + { + "queryName": "Logging of Sensitive Data In Defaults", + "severity": "LOW", + "line": 1, + "filename": "positive1.cfg", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "defaults", + "searchValue": "", + "expectedValue": "no_log should be defined and set to 'true'", + "actualValue": "no_log is not defined", + "issueType": "IncorrectValue" + }, + { + "queryName": "Logging of Sensitive Data In Defaults", + "severity": "LOW", + "line": 39, + "filename": "positive2.cfg", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "defaults.no_log", + "searchValue": "", + "expectedValue": "no_log should be set to 'true'", + "actualValue": "no_log is set to 'false'", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/test/positive_expected_result.json b/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/test/positive_expected_result.json index edcbda369aa..d67afbbd16d 100644 --- a/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/test/positive_expected_result.json +++ b/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Privilege Escalation Using Become Plugin In Defaults", - "severity": "MEDIUM", - "filename": "positive1.cfg", - "line": 10 - }, - { - "queryName": "Privilege Escalation Using Become Plugin In Defaults", - "severity": "MEDIUM", - "filename": "positive2.cfg", - "line": 12 - } + { + "queryName": "Privilege Escalation Using Become Plugin In Defaults", + "severity": "MEDIUM", + "line": 10, + "filename": "positive1.cfg", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "defaults.become", + "searchValue": "", + "expectedValue": "'become' should be set to 'true'", + "actualValue": "'become' is set to 'false'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Privilege Escalation Using Become Plugin In Defaults", + "severity": "MEDIUM", + "line": 12, + "filename": "positive2.cfg", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "defaults.become_user", + "searchValue": "", + "expectedValue": "'become' should be defined and set to 'true'", + "actualValue": "'become' is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/ansible/gcp/bigquery_dataset_is_public/test/positive_expected_result.json b/assets/queries/ansible/gcp/bigquery_dataset_is_public/test/positive_expected_result.json index ccbd9315993..eb8c9bdab99 100644 --- a/assets/queries/ansible/gcp/bigquery_dataset_is_public/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/bigquery_dataset_is_public/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "BigQuery Dataset Is Public", - "severity": "HIGH", - "line": 5 - } + { + "queryName": "BigQuery Dataset Is Public", + "severity": "HIGH", + "line": 5, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_bigquery_dataset", + "resourceName": "create a dataset", + "searchKey": "name={{create a dataset}}.{{google.cloud.gcp_bigquery_dataset}}.access", + "searchValue": "", + "expectedValue": "gcp_bigquery_dataset.access.special_group should not equal to 'allAuthenticatedUsers'", + "actualValue": "gcp_bigquery_dataset.access.special_group is equal to 'allAuthenticatedUsers'", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/gcp/client_certificate_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/client_certificate_disabled/test/positive_expected_result.json index 36503065ad0..aff3d8e0545 100644 --- a/assets/queries/ansible/gcp/client_certificate_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/client_certificate_disabled/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Client Certificate Disabled", "severity": "HIGH", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth should be defined", + "actualValue": "gcp_container_cluster.master_auth is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Client Certificate Disabled", "severity": "HIGH", - "line": 18 + "line": 18, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.client_certificate_config should be defined", + "actualValue": "gcp_container_cluster.master_auth.client_certificate_config is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Client Certificate Disabled", "severity": "HIGH", - "line": 37 + "line": 37, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.master_auth.client_certificate_config.issue_client_certificate", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.password should be true", + "actualValue": "gcp_container_cluster.master_auth.password is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json index 9379e54d288..99b0859bd2f 100644 --- a/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json @@ -1,17 +1,41 @@ [ - { - "queryName": "Cloud DNS Without DNSSEC", - "severity": "MEDIUM", - "line": 3 - }, - { - "queryName": "Cloud DNS Without DNSSEC", - "severity": "MEDIUM", - "line": 20 - }, - { - "queryName": "Cloud DNS Without DNSSEC", - "severity": "MEDIUM", - "line": 33 - } + { + "queryName": "Cloud DNS Without DNSSEC", + "severity": "MEDIUM", + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_dns_managed_zone", + "resourceName": "create a managed zone", + "searchKey": "name={{create a managed zone}}.{{google.cloud.gcp_dns_managed_zone}}", + "searchValue": "", + "expectedValue": "gcp_dns_managed_zone.dnssec_config should be defined", + "actualValue": "gcp_dns_managed_zone.dnssec_config is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Cloud DNS Without DNSSEC", + "severity": "MEDIUM", + "line": 20, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_dns_managed_zone", + "resourceName": "create a second managed zone", + "searchKey": "name={{create a second managed zone}}.{{google.cloud.gcp_dns_managed_zone}}.dnssec_config", + "searchValue": "", + "expectedValue": "gcp_dns_managed_zone.dnssec_config.state should be defined", + "actualValue": "gcp_dns_managed_zone.dnssec_config.state is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Cloud DNS Without DNSSEC", + "severity": "MEDIUM", + "line": 33, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_dns_managed_zone", + "resourceName": "create a third managed zone", + "searchKey": "name={{create a third managed zone}}.{{google.cloud.gcp_dns_managed_zone}}.dnssec_config.state", + "searchValue": "", + "expectedValue": "gcp_dns_managed_zone.dnssec_config.state should equal to 'on'", + "actualValue": "gcp_dns_managed_zone.dnssec_config.state is not equal to 'on'", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/test/positive_expected_result.json index 0d9b8e9029c..f07a27f2012 100644 --- a/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Cloud SQL Instance With Contained Database Authentication On", "severity": "HIGH", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance", + "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags", + "searchValue": "", + "expectedValue": "cloud_gcp_sql_instance.settings.database_flags should be correct", + "actualValue": "cloud_gcp_sql_instance.settings.database_flags.name is 'contained database authentication' and cloud_gcp_sql_instance.settings.database_flags.value is not 'off'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/test/positive_expected_result.json index 195a85873d7..a6a0b86ce53 100644 --- a/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Cloud SQL Instance With Cross DB Ownership Chaining On", "severity": "HIGH", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance", + "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags", + "searchValue": "", + "expectedValue": "{{cloud_gcp_sql_instance}}.settings.database_flags should be correct", + "actualValue": "{{cloud_gcp_sql_instance}}.settings.database_flags.name is 'cross db ownership chaining' and cloud_gcp_sql_instance.settings.database_flags.value is not 'off'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json index e0ee2d2a9d5..051ce350cc8 100644 --- a/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 11 + "line": 11, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_storage_bucket", + "resourceName": "create a bucket1", + "searchKey": "name={{create a bucket1}}.{{google.cloud.gcp_storage_bucket}}.default_object_acl.entity", + "searchValue": "", + "expectedValue": "gcp_storage_bucket.default_object_acl.entity should not be 'allUsers' or 'allAuthenticatedUsers'", + "actualValue": "gcp_storage_bucket.default_object_acl.entity is 'allUsers' or 'allAuthenticatedUsers'", + "issueType": "IncorrectValue" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 22 + "line": 22, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_storage_bucket", + "resourceName": "create a bucket2", + "searchKey": "name={{create a bucket2}}.{{google.cloud.gcp_storage_bucket}}.acl.entity", + "searchValue": "", + "expectedValue": "gcp_storage_bucket.acl.entity should not be 'allUsers' or 'allAuthenticatedUsers'", + "actualValue": "gcp_storage_bucket.acl.entity is 'allUsers' or 'allAuthenticatedUsers'", + "issueType": "IncorrectValue" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 28 + "line": 28, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_storage_bucket", + "resourceName": "create a bucket3", + "searchKey": "name={{create a bucket3}}.{{google.cloud.gcp_storage_bucket}}", + "searchValue": "", + "expectedValue": "gcp_storage_bucket.default_object_acl should be defined", + "actualValue": "gcp_storage_bucket.default_object_acl is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json index 1d61cc30951..b91fe36561d 100644 --- a/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Cloud Storage Bucket Logging Not Enabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_storage_bucket", + "resourceName": "create a bucket", + "searchKey": "name={{create a bucket}}.{{google.cloud.gcp_storage_bucket}}", + "searchValue": "", + "expectedValue": "gcp_storage_bucket.logging should be defined", + "actualValue": "gcp_storage_bucket.logging is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json index e2023f7479b..83a8326bafd 100644 --- a/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Cloud Storage Bucket Versioning Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_storage_bucket", + "resourceName": "create a bucket", + "searchKey": "name={{create a bucket}}.{{google.cloud.gcp_storage_bucket}}", + "searchValue": "", + "expectedValue": "gcp_storage_bucket.versioning should be defined", + "actualValue": "gcp_storage_bucket.versioning is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Cloud Storage Bucket Versioning Disabled", "severity": "MEDIUM", - "line": 17 + "line": 17, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_storage_bucket", + "resourceName": "create a second bucket", + "searchKey": "name={{create a second bucket}}.{{google.cloud.gcp_storage_bucket}}.versioning.enabled", + "searchValue": "", + "expectedValue": "gcp_storage_bucket.versioning.enabled should be true", + "actualValue": "gcp_storage_bucket.versioning.enabled is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/cluster_labels_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/cluster_labels_disabled/test/positive_expected_result.json index 8c1a8dc644d..b0a265340c2 100644 --- a/assets/queries/ansible/gcp/cluster_labels_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cluster_labels_disabled/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Cluster Labels Disabled", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "google.cloud.gcp_container_cluster should be defined and not null", + "actualValue": "google.cloud.gcp_container_cluster is undefined and null", + "issueType": "MissingAttribute" }, { "queryName": "Cluster Labels Disabled", "severity": "LOW", - "line": 17 + "line": 17, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "google.cloud.gcp_container_cluster should be defined and not null", + "actualValue": "google.cloud.gcp_container_cluster is undefined and null", + "issueType": "MissingAttribute" }, { "queryName": "Cluster Labels Disabled", "severity": "LOW", - "line": 47 + "line": 47, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.resource_labels", + "searchValue": "", + "expectedValue": "google.cloud.gcp_container_cluster should not be empty", + "actualValue": "google.cloud.gcp_container_cluster is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json index 06b3b7a82fa..f263c85b76d 100644 --- a/assets/queries/ansible/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth should be defined and not null", + "actualValue": "gcp_container_cluster.master_auth is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", - "line": 18 + "line": 18, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.username should be defined and not null", + "actualValue": "gcp_container_cluster.master_auth.username is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", - "line": 32 + "line": 32, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.password should be defined and not null", + "actualValue": "gcp_container_cluster.master_auth.password is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", - "line": 46 + "line": 46, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster4", + "searchKey": "name={{create a cluster4}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.username should be defined and not null", + "actualValue": "gcp_container_cluster.master_auth.username is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", - "line": 61 + "line": 61, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster5", + "searchKey": "name={{create a cluster5}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.password should be defined and not null", + "actualValue": "gcp_container_cluster.master_auth.password is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json index 77e4bef3293..74f1a4903c8 100644 --- a/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Compute Instance Is Publicly Accessible", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance", + "searchKey": "name={{create a instance}}.{{google.cloud.gcp_compute_instance}}.network_interfaces.access_configs", + "searchValue": "", + "expectedValue": "gcp_compute_instance.network_interfaces.access_configs should not be defined", + "actualValue": "gcp_compute_instance.network_interfaces.access_configs is defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/cos_node_image_not_used/test/positive_expected_result.json b/assets/queries/ansible/gcp/cos_node_image_not_used/test/positive_expected_result.json index 7749e1bcee8..d2cf2d7de3f 100644 --- a/assets/queries/ansible/gcp/cos_node_image_not_used/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cos_node_image_not_used/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "COS Node Image Not Used", "severity": "LOW", - "line": 13 + "line": 13, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_node_pool", + "resourceName": "create a node pool", + "searchKey": "name={{create a node pool}}.{{google.cloud.gcp_container_node_pool}}.config.image_type", + "searchValue": "", + "expectedValue": "gcp_container_node_pool.config.image_type should start with 'COS'", + "actualValue": "gcp_container_node_pool.config.image_type does not start with 'COS'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/disk_encryption_disabled/test/positive_expected_result.json index ed85273a162..4006e0c7b33 100644 --- a/assets/queries/ansible/gcp/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/disk_encryption_disabled/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 3, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "google.cloud.gcp_compute_disk", + "resourceName": "create a disk1", + "searchKey": "name={{create a disk1}}.{{google.cloud.gcp_compute_disk}}", + "searchValue": "", + "expectedValue": "gcp_compute_disk.disk_encryption_key should be defined and not null", + "actualValue": "gcp_compute_disk.disk_encryption_key is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 15, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "google.cloud.gcp_compute_disk", + "resourceName": "create a disk3", + "searchKey": "name={{create a disk3}}.{{google.cloud.gcp_compute_disk}}.disk_encryption_key", + "searchValue": "", + "expectedValue": "gcp_compute_disk.disk_encryption_key.raw_key or gcp_compute_disk.disk_encryption_key.kms_key_name should be defined and not null", + "actualValue": "gcp_compute_disk.disk_encryption_key.raw_key and gcp_compute_disk.disk_encryption_key.kms_key_name are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 27, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "google.cloud.gcp_compute_disk", + "resourceName": "create a disk4", + "searchKey": "name={{create a disk4}}.{{google.cloud.gcp_compute_disk}}.disk_encryption_key.raw_key", + "searchValue": "", + "expectedValue": "gcp_compute_disk.disk_encryption_key.raw_key should not be empty", + "actualValue": "gcp_compute_disk.disk_encryption_key.raw_key is empty", + "issueType": "IncorrectValue" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 5, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "google.cloud.gcp_compute_disk", + "resourceName": "create a disk3", + "searchKey": "name={{create a disk3}}.{{google.cloud.gcp_compute_disk}}.disk_encryption_key", + "searchValue": "", + "expectedValue": "gcp_compute_disk.disk_encryption_key.raw_key or gcp_compute_disk.disk_encryption_key.kms_key_name should be defined and not null", + "actualValue": "gcp_compute_disk.disk_encryption_key.raw_key and gcp_compute_disk.disk_encryption_key.kms_key_name are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 17, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "google.cloud.gcp_compute_disk", + "resourceName": "create a disk4", + "searchKey": "name={{create a disk4}}.{{google.cloud.gcp_compute_disk}}.disk_encryption_key.kms_key_name", + "searchValue": "", + "expectedValue": "gcp_compute_disk.disk_encryption_key.kms_key_name should not be empty", + "actualValue": "gcp_compute_disk.disk_encryption_key.kms_key_name is empty", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/gcp/dnssec_using_rsasha1/test/positive_expected_result.json b/assets/queries/ansible/gcp/dnssec_using_rsasha1/test/positive_expected_result.json index e0b836b45d2..25ca6be4480 100644 --- a/assets/queries/ansible/gcp/dnssec_using_rsasha1/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/dnssec_using_rsasha1/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "DNSSEC Using RSASHA1", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_dns_managed_zone", + "resourceName": "create a managed zone", + "searchKey": "name={{create a managed zone}}.{{google.cloud.gcp_dns_managed_zone}}.dnssec_config.defaultKeySpecs.algorithm", + "searchValue": "", + "expectedValue": "gcp_dns_managed_zone.dnssec_config.defaultKeySpecs.algorithm should not equal to 'rsasha1'", + "actualValue": "gcp_dns_managed_zone.dnssec_config.defaultKeySpecs.algorithm is equal to 'rsasha1'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/gke_basic_authentication_enabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/gke_basic_authentication_enabled/test/positive_expected_result.json index 7d0d7d53ef2..8c760fe1fe5 100644 --- a/assets/queries/ansible/gcp/gke_basic_authentication_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/gke_basic_authentication_enabled/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "GKE Basic Authentication Enabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth should be defined", + "actualValue": "gcp_container_cluster.master_auth is undefined", + "issueType": "MissingAttribute" }, { "queryName": "GKE Basic Authentication Enabled", "severity": "MEDIUM", - "line": 18 + "line": 18, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.username should be defined", + "actualValue": "gcp_container_cluster.master_auth.username is undefined", + "issueType": "MissingAttribute" }, { "queryName": "GKE Basic Authentication Enabled", "severity": "MEDIUM", - "line": 32 + "line": 32, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.password should be defined", + "actualValue": "gcp_container_cluster.master_auth.password is undefined", + "issueType": "MissingAttribute" }, { "queryName": "GKE Basic Authentication Enabled", "severity": "MEDIUM", - "line": 47 + "line": 47, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster4", + "searchKey": "name={{create a cluster4}}.{{google.cloud.gcp_container_cluster}}.master_auth.username", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.username should be empty", + "actualValue": "gcp_container_cluster.master_auth.username is not empty", + "issueType": "IncorrectValue" }, { "queryName": "GKE Basic Authentication Enabled", "severity": "MEDIUM", - "line": 63 + "line": 63, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster5", + "searchKey": "name={{create a cluster5}}.{{google.cloud.gcp_container_cluster}}.master_auth.password", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.password should be empty", + "actualValue": "gcp_container_cluster.master_auth.password is not empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json index 7a792dec50d..cf690d5d430 100644 --- a/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "GKE Legacy Authorization Enabled", "severity": "HIGH", - "line": 18 + "line": 18, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster", + "searchKey": "name={{create a cluster}}.{{google.cloud.gcp_container_cluster}}.legacy_abac.enabled", + "searchValue": "", + "expectedValue": "gcp_container_cluster.legacy_abac.enabled should be set to false", + "actualValue": "gcp_container_cluster.legacy_abac.enabled is true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json index 5535f921553..1ec52d3e4e9 100644 --- a/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "GKE Master Authorized Networks Disabled", "severity": "MEDIUM", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster", + "searchKey": "name={{create a cluster}}.{{google.cloud.gcp_container_cluster}}.master_authorized_networks_config.enabled", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_authorized_networks_config.enabled should be true", + "actualValue": "gcp_container_cluster.master_authorized_networks_config.enabled is false", + "issueType": "IncorrectValue" }, { "queryName": "GKE Master Authorized Networks Disabled", "severity": "MEDIUM", - "line": 17 + "line": 17, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a second cluster", + "searchKey": "name={{create a second cluster}}.{{google.cloud.gcp_container_cluster}}.master_authorized_networks_config", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_authorized_networks_config.enabled should be defined", + "actualValue": "gcp_container_cluster.master_authorized_networks_config.enabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "GKE Master Authorized Networks Disabled", "severity": "MEDIUM", - "line": 22 + "line": 22, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a third cluster", + "searchKey": "name={{create a third cluster}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_authorized_networks_config should be defined", + "actualValue": "gcp_container_cluster.master_authorized_networks_config is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/gke_using_default_service_account/test/positive_expected_result.json b/assets/queries/ansible/gcp/gke_using_default_service_account/test/positive_expected_result.json index c1d0cdbb565..fedec730665 100644 --- a/assets/queries/ansible/gcp/gke_using_default_service_account/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/gke_using_default_service_account/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "GKE Using Default Service Account", - "severity": "MEDIUM", - "line": 8, - "fileName": "positive1.yaml" - }, - { - "queryName": "GKE Using Default Service Account", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.yaml" - } + { + "queryName": "GKE Using Default Service Account", + "severity": "MEDIUM", + "line": 8, + "filename": "positive1.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster", + "searchKey": "name={{create a cluster}}.{{google.cloud.gcp_container_cluster}}.node_config", + "searchValue": "", + "expectedValue": "'service_account' should not be default", + "actualValue": "'service_account' is missing", + "issueType": "MissingAttribute" + }, + { + "queryName": "GKE Using Default Service Account", + "severity": "MEDIUM", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster", + "searchKey": "name={{create a cluster}}.{{google.cloud.gcp_container_cluster}}.node_config.service_account", + "searchValue": "", + "expectedValue": "'service_account' should not be default", + "actualValue": "'service_account' is default", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json index ed1b5a8150c..bae09afcaf2 100644 --- a/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Google Compute Network Using Default Firewall Rule", "severity": "MEDIUM", "line": 11, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_network", + "resourceName": "create a network2", + "searchKey": "name={{create a network2}}.{{google.cloud.gcp_compute_network}}", + "searchValue": "", + "expectedValue": "'google.cloud.gcp_compute_network' should not be using a default firewall rule", + "actualValue": "'google.cloud.gcp_compute_network' is using a default firewall rule", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/test/positive_expected_result.json index 35ee2790201..f5b553533c1 100644 --- a/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Google Compute Network Using Firewall Rule that Allows Port Range", "severity": "LOW", "line": 19, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_network", + "resourceName": "create a network2", + "searchKey": "name={{create a network2}}.{{google.cloud.gcp_compute_network}}", + "searchValue": "", + "expectedValue": "'google.cloud.gcp_compute_network' should not be using a firewall rule that allows access to port range", + "actualValue": "'google.cloud.gcp_compute_network' is using a firewall rule that allows access to port range", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json index c07d1c5283a..0a12b4cc14b 100644 --- a/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Google Compute Network Using Firewall Rule that Allows All Ports", "severity": "MEDIUM", "line": 19, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_network", + "resourceName": "create a network2", + "searchKey": "name={{create a network2}}.{{google.cloud.gcp_compute_network}}", + "searchValue": "", + "expectedValue": "'google.cloud.gcp_compute_network' should not be using a firewall rule that allows access to all ports", + "actualValue": "'google.cloud.gcp_compute_network' is using a firewall rule that allows access to all ports", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json index 9fab22393ec..c9a9decac64 100644 --- a/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Google Compute SSL Policy Weak Cipher In Use", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_ssl_policy", + "resourceName": "create a SSL policy", + "searchKey": "name={{create a SSL policy}}.{{google.cloud.gcp_compute_ssl_policy}}", + "searchValue": "", + "expectedValue": "gcp_compute_ssl_policy has min_tls_version should be set to 'TLS_1_2'", + "actualValue": "gcp_compute_ssl_policy does not have min_tls_version set to 'TLS_1_2'", + "issueType": "MissingAttribute" }, { "queryName": "Google Compute SSL Policy Weak Cipher In Use", "severity": "MEDIUM", - "line": 16 + "line": 16, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_ssl_policy", + "resourceName": "create a SSL policy2", + "searchKey": "name={{create a SSL policy2}}.{{google.cloud.gcp_compute_ssl_policy}}.min_tls_version", + "searchValue": "", + "expectedValue": "gcp_compute_ssl_policy.min_tls_version has min_tls_version should be set to 'TLS_1_2'", + "actualValue": "gcp_compute_ssl_policy.min_tls_version does not have min_tls_version set to 'TLS_1_2'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json index 4b088e2c82c..7fda25bb211 100644 --- a/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Google Compute Subnetwork with Private Google Access Disabled", "severity": "LOW", "line": 2, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "google.cloud.gcp_compute_subnetwork", + "resourceName": "create a subnetwork", + "searchKey": "name={{create a subnetwork}}.{{google.cloud.gcp_compute_subnetwork}}", + "searchValue": "", + "expectedValue": "google.cloud.gcp_compute_subnetwork.private_ip_google_access should be defined and not null", + "actualValue": "google.cloud.gcp_compute_subnetwork.private_ip_google_access is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Google Compute Subnetwork with Private Google Access Disabled", "severity": "LOW", "line": 10, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "google.cloud.gcp_compute_subnetwork", + "resourceName": "create a subnetwork2", + "searchKey": "name={{create a subnetwork2}}.{{google.cloud.gcp_compute_subnetwork}}.private_ip_google_access", + "searchValue": "", + "expectedValue": "google.cloud.gcp_compute_subnetwork.private_ip_google_access should be set to yes", + "actualValue": "google.cloud.gcp_compute_subnetwork.private_ip_google_access is set to no", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json index 6be1d2d4a37..f23dbf70a80 100644 --- a/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_node_pool", + "resourceName": "create a node pool", + "searchKey": "name={{create a node pool}}.{{google.cloud.gcp_container_node_pool}}.management.auto_repair", + "searchValue": "", + "expectedValue": "gcp_container_node_pool.management.auto_repair should be set to true", + "actualValue": "gcp_container_node_poolmanagement.auto_repair is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", - "line": 26 + "line": 26, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_node_pool", + "resourceName": "create a node pool2", + "searchKey": "name={{create a node pool2}}.{{google.cloud.gcp_container_node_pool}}.management.auto_repair", + "searchValue": "", + "expectedValue": "gcp_container_node_pool.management.auto_repair should be set to true", + "actualValue": "gcp_container_node_poolmanagement.auto_repair is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", - "line": 29 + "line": 29, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_node_pool", + "resourceName": "create a node pool3", + "searchKey": "name={{create a node pool3}}.{{google.cloud.gcp_container_node_pool}}", + "searchValue": "", + "expectedValue": "gcp_container_node_pool.management should be defined", + "actualValue": "gcp_container_node_pool.management is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json b/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json index 64749f941ee..b9e96c3fe89 100644 --- a/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "High Google KMS Crypto Key Rotation Period", "severity": "MEDIUM", - "line": 18 + "line": 18, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_kms_crypto_key", + "resourceName": "create a crypto key", + "searchKey": "name={{create a crypto key}}.{{google.cloud.gcp_kms_crypto_key}}.rotation_period", + "searchValue": "", + "expectedValue": "gcp_kms_crypto_key.rotation_period should be less or equal to 7776000", + "actualValue": "gcp_kms_crypto_key.rotation_period exceeds 7776000", + "issueType": "IncorrectValue" }, { "queryName": "High Google KMS Crypto Key Rotation Period", "severity": "MEDIUM", - "line": 23 + "line": 23, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_kms_crypto_key", + "resourceName": "create a crypto key2", + "searchKey": "name={{create a crypto key2}}.{{google.cloud.gcp_kms_crypto_key}}", + "searchValue": "", + "expectedValue": "gcp_kms_crypto_key.rotation_period should be defined with a value less or equal to 7776000", + "actualValue": "gcp_kms_crypto_key.rotation_period is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/ansible/gcp/ip_aliasing_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/ip_aliasing_disabled/test/positive_expected_result.json index 515f5894a3c..bf00224bb44 100644 --- a/assets/queries/ansible/gcp/ip_aliasing_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/ip_aliasing_disabled/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.ip_allocation_policy should be defined", + "actualValue": "gcp_container_cluster.ip_allocation_policy is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.ip_allocation_policy", + "searchValue": "", + "expectedValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases should be set to true", + "actualValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", - "line": 50 + "line": 50, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.ip_allocation_policy.use_ip_aliases", + "searchValue": "", + "expectedValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases should be true", + "actualValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/ip_forwarding_enabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/ip_forwarding_enabled/test/positive_expected_result.json index fd23b343a69..ee06f4780ea 100644 --- a/assets/queries/ansible/gcp/ip_forwarding_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/ip_forwarding_enabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "IP Forwarding Enabled", "severity": "MEDIUM", - "line": 22 + "line": 22, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance", + "searchKey": "name={{create a instance}}.{{google.cloud.gcp_compute_instance}}.can_ip_forward", + "searchValue": "", + "expectedValue": "gcp_compute_instance.can_ip_forward should be set to false", + "actualValue": "gcp_compute_instance.can_ip_forward is true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json b/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json index ca7bdf90551..0c734e6df4e 100644 --- a/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "MySQL Instance With Local Infile On", "severity": "HIGH", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance", + "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags", + "searchValue": "", + "expectedValue": "cloud_gcp_sql_instance.settings.database_flags should be correct", + "actualValue": "cloud_gcp_sql_instance.settings.database_flags.name is 'local_infile' and cloud_gcp_sql_instance.settings.database_flags.value is not 'off'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/gcp/network_policy_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/network_policy_disabled/test/positive_expected_result.json index 422a04267dc..b5e8aa9ac33 100644 --- a/assets/queries/ansible/gcp/network_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/network_policy_disabled/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "network_policy", + "expectedValue": "gcp_container_cluster.network_policy should be defined", + "actualValue": "gcp_container_cluster.network_policy is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 21 + "line": 21, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "addons_config", + "expectedValue": "gcp_container_cluster.addons_config should be defined", + "actualValue": "gcp_container_cluster.addons_config is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 54 + "line": 54, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.addons_config", + "searchValue": "", + "expectedValue": "gcp_container_cluster.addons_config.network_policy_config should be defined", + "actualValue": "gcp_container_cluster.addons_config.network_policy_config is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 73 + "line": 73, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster4", + "searchKey": "name={{create a cluster4}}.{{google.cloud.gcp_container_cluster}}.network_policy.enabled", + "searchValue": "", + "expectedValue": "gcp_container_cluster.network_policy.enabled should be true", + "actualValue": "gcp_container_cluster.network_policy.enabled is false", + "issueType": "IncorrectValue" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 96 + "line": 96, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster5", + "searchKey": "name={{create a cluster5}}.{{google.cloud.gcp_container_cluster}}.addons_config.network_policy_config.disabled", + "searchValue": "", + "expectedValue": "gcp_container_cluster.addons_config.network_policy_config.disabled should be set to false", + "actualValue": "gcp_container_cluster.addons_config.network_policy_config.disabled is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json index 1e8d4e0b4e8..b88ab156a9b 100644 --- a/assets/queries/ansible/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_node_pool", + "resourceName": "create a node pool", + "searchKey": "name={{create a node pool}}.{{google.cloud.gcp_container_node_pool}}", + "searchValue": "", + "expectedValue": "gcp_container_node_pool.management should be defined", + "actualValue": "gcp_container_node_pool.management is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 22 + "line": 22, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_node_pool", + "resourceName": "create a second node pool", + "searchKey": "name={{create a second node pool}}.{{google.cloud.gcp_container_node_pool}}.management", + "searchValue": "", + "expectedValue": "gcp_container_node_pool.management.auto_upgrade should be defined", + "actualValue": "gcp_container_node_pool.management.auto_upgrade is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 36 + "line": 36, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_node_pool", + "resourceName": "create a third node pool", + "searchKey": "name={{create a third node pool}}.{{google.cloud.gcp_container_node_pool}}.management.auto_upgrade", + "searchValue": "", + "expectedValue": "gcp_container_node_pool.management.auto_upgrade should be true", + "actualValue": "gcp_container_node_pool.management.auto_upgrade is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/test/positive_expected_result.json b/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/test/positive_expected_result.json index 489e34a7d20..fa168f793d7 100644 --- a/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "OSLogin Is Disabled In VM Instance", - "severity": "MEDIUM", - "line": 4 - } + { + "queryName": "OSLogin Is Disabled In VM Instance", + "severity": "MEDIUM", + "line": 4, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "oslogin-disabled", + "searchKey": "name={{oslogin-disabled}}.{{google.cloud.gcp_compute_instance}}.metadata.enable-oslogin", + "searchValue": "", + "expectedValue": "gcp_compute_instance.metadata.enable-oslogin should be true", + "actualValue": "gcp_compute_instance.metadata.enable-oslogin is false", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/test/positive_expected_result.json b/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/test/positive_expected_result.json index f8fa12d454b..b2f7b1ce458 100644 --- a/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ - { - "queryName": "PostgreSQL log_checkpoints Flag Not Set To ON", - "severity": "MEDIUM", - "line": 5 - }, - { - "queryName": "PostgreSQL log_checkpoints Flag Not Set To ON", - "severity": "MEDIUM", - "line": 16 - } + { + "queryName": "PostgreSQL log_checkpoints Flag Not Set To ON", + "severity": "MEDIUM", + "line": 5, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create instance", + "searchKey": "name={{create instance}}.{{google.cloud.gcp_sql_instance}}.settings.databaseFlags", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.databaseFlags should have 'log_checkpoints' flag set to 'on'", + "actualValue": "gcp_sql_instance.settings.databaseFlags has 'log_checkpoints' flag set to 'off'", + "issueType": "IncorrectValue" + }, + { + "queryName": "PostgreSQL log_checkpoints Flag Not Set To ON", + "severity": "MEDIUM", + "line": 16, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create another instance", + "searchKey": "name={{create another instance}}.{{google.cloud.gcp_sql_instance}}", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.databaseFlags should be defined", + "actualValue": "gcp_sql_instance.settings.databaseFlags is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/ansible/gcp/postgresql_log_connections_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/postgresql_log_connections_disabled/test/positive_expected_result.json index 6cd81a17bd4..fdd09f30c50 100644 --- a/assets/queries/ansible/gcp/postgresql_log_connections_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/postgresql_log_connections_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "PostgreSQL Log Connections Disabled", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create instance", + "searchKey": "name={{create instance}}.{{google.cloud.gcp_sql_instance}}.settings.databaseFlags", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.databaseFlags should have 'log_connections' flag set to 'on'", + "actualValue": "gcp_sql_instance.settings.databaseFlags has 'log_connections' flag set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Connections Disabled", "severity": "MEDIUM", - "line": 16 + "line": 16, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create another instance", + "searchKey": "name={{create another instance}}.{{google.cloud.gcp_sql_instance}}", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.databaseFlags should be defined", + "actualValue": "gcp_sql_instance.settings.databaseFlags is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/test/positive_expected_result.json index 176293e62bf..8018231242f 100644 --- a/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "PostgreSQL Logging Of Temporary Files Disabled", "severity": "LOW", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance", + "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.database_flags should set the log_temp_files to 0", + "actualValue": "gcp_sql_instance.settings.database_flags doesn't set the log_temp_files to 0", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/test/positive_expected_result.json b/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/test/positive_expected_result.json index 58a65f3141f..89ccca0756a 100644 --- a/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "PostgreSQL Misconfigured Log Messages Flag", "severity": "LOW", - "line": 11 + "line": 11, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance", + "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags.log_min_messages", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.database_flags should set 'log_min_messages' to a valid value", + "actualValue": "gcp_sql_instance.settings.database_flags doesn't set 'log_min_messages' to a valid value", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/test/positive_expected_result.json b/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/test/positive_expected_result.json index 2032e1d2680..ebae796beb6 100644 --- a/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "PostgreSQL Misconfigured Logging Duration Flag", "severity": "LOW", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance", + "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.database_flags should set the log_min_duration_statement to -1", + "actualValue": "gcp_sql_instance.settings.database_flags doesn't set the log_min_duration_statement to -1", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/private_cluster_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/private_cluster_disabled/test/positive_expected_result.json index 689ed5ffc81..fe2af78c435 100644 --- a/assets/queries/ansible/gcp/private_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/private_cluster_disabled/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.private_cluster_config should be defined", + "actualValue": "gcp_container_cluster.private_cluster_config is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.private_cluster_config", + "searchValue": "", + "expectedValue": "gcp_container_cluster.private_cluster_config.enable_private_nodes should be defined", + "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_nodes is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 48 + "line": 48, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.private_cluster_config", + "searchValue": "", + "expectedValue": "gcp_container_cluster.private_cluster_config.enable_private_endpoint should be defined", + "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_endpoint is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 66 + "line": 66, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster4", + "searchKey": "name={{create a cluster4}}.{{google.cloud.gcp_container_cluster}}.private_cluster_config.enable_private_endpoint", + "searchValue": "", + "expectedValue": "gcp_container_cluster.private_cluster_config.enable_private_endpoint should be true", + "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_endpoint is false", + "issueType": "IncorrectValue" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 85 + "line": 85, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster5", + "searchKey": "name={{create a cluster5}}.{{google.cloud.gcp_container_cluster}}.private_cluster_config.enable_private_nodes", + "searchValue": "", + "expectedValue": "gcp_container_cluster.private_cluster_config.enable_private_nodes should be true", + "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_nodes is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json b/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json index 13ca90f5f99..543fdbe58f1 100644 --- a/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json @@ -1,17 +1,41 @@ [ - { - "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", - "severity": "MEDIUM", - "line": 4 - }, - { - "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", - "severity": "MEDIUM", - "line": 9 - }, - { - "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", - "severity": "MEDIUM", - "line": 15 - } + { + "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", + "severity": "MEDIUM", + "line": 4, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "ssh_keys_unblocked", + "searchKey": "name={{ssh_keys_unblocked}}.{{google.cloud.gcp_compute_instance}}.metadata.block-project-ssh-keys", + "searchValue": "", + "expectedValue": "gcp_compute_instance.metadata.block-project-ssh-keys should be true", + "actualValue": "gcp_compute_instance.metadata.block-project-ssh-keys is false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", + "severity": "MEDIUM", + "line": 9, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "ssh_keys_missing", + "searchKey": "name={{ssh_keys_missing}}.{{google.cloud.gcp_compute_instance}}.metadata", + "searchValue": "", + "expectedValue": "gcp_compute_instance.metadata.block-project-ssh-keys should be set to true", + "actualValue": "gcp_compute_instance.metadata.block-project-ssh-keys is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", + "severity": "MEDIUM", + "line": 15, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "no_metadata", + "searchKey": "name={{no_metadata}}.{{google.cloud.gcp_compute_instance}}", + "searchValue": "", + "expectedValue": "gcp_compute_instance.metadata should be set", + "actualValue": "gcp_compute_instance.metadata is undefined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/ansible/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/ansible/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json index 54fdcecba5f..9ba816b949a 100644 --- a/assets/queries/ansible/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_firewall", + "resourceName": "rdp_in_range", + "searchKey": "name={{rdp_in_range}}.{{google.cloud.gcp_compute_firewall}}.allowed.ip_protocol=tcp.ports", + "searchValue": "", + "expectedValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports shouldn't contain RDP port (3389) with unrestricted ingress traffic", + "actualValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports contain RDP port (3389) with unrestricted ingress traffic", + "issueType": "IncorrectValue" }, { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", - "line": 29 + "line": 29, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_firewall", + "resourceName": "rdp_in_port", + "searchKey": "name={{rdp_in_port}}.{{google.cloud.gcp_compute_firewall}}.allowed.ip_protocol=tcp.ports", + "searchValue": "", + "expectedValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports shouldn't contain RDP port (3389) with unrestricted ingress traffic", + "actualValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports contain RDP port (3389) with unrestricted ingress traffic", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/test/positive_expected_result.json b/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/test/positive_expected_result.json index b24c967c2c6..cc550840de3 100644 --- a/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "Serial Ports Are Enabled For VM Instances", - "severity": "MEDIUM", - "line": 4 - } + { + "queryName": "Serial Ports Are Enabled For VM Instances", + "severity": "MEDIUM", + "line": 4, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "serial_enabled", + "searchKey": "name={{serial_enabled}}.{{google.cloud.gcp_compute_instance}}.metadata.serial-port-enable", + "searchValue": "", + "expectedValue": "gcp_compute_instance.metadata.serial-port-enable should be undefined or set to false", + "actualValue": "gcp_compute_instance.metadata.serial-port-enable is set to true", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/gcp/shielded_vm_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/shielded_vm_disabled/test/positive_expected_result.json index eca3f4bb68b..c7cd4b6520a 100644 --- a/assets/queries/ansible/gcp/shielded_vm_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/shielded_vm_disabled/test/positive_expected_result.json @@ -2,36 +2,92 @@ { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance1", + "searchKey": "name={{create a instance1}}.{{google.cloud.gcp_compute_instance}}", + "searchValue": "", + "expectedValue": "gcp_compute_instance.shielded_instance_config should be defined", + "actualValue": "gcp_compute_instance.shielded_instance_config is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 42 + "line": 42, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance2", + "searchKey": "name={{create a instance2}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config", + "searchValue": "", + "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_integrity_monitoring should be defined", + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_integrity_monitoring is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 65 + "line": 65, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance3", + "searchKey": "name={{create a instance3}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config", + "searchValue": "", + "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_secure_boot should be defined", + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_secure_boot is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 88 + "line": 88, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance4", + "searchKey": "name={{create a instance4}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config", + "searchValue": "", + "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_vtpm should be defined", + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_vtpm is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 112 + "line": 112, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance5", + "searchKey": "name={{create a instance5}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config.enable_integrity_monitoring", + "searchValue": "", + "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_integrity_monitoring should be true", + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_integrity_monitoring is false", + "issueType": "IncorrectValue" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 137 + "line": 137, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance6", + "searchKey": "name={{create a instance6}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config.enable_secure_boot", + "searchValue": "", + "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_secure_boot should be true", + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_secure_boot is false", + "issueType": "IncorrectValue" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 162 + "line": 162, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance7", + "searchKey": "name={{create a instance7}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config.enable_vtpm", + "searchValue": "", + "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_vtpm should be true", + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_vtpm is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json index 4beca497fd1..2299c808c61 100644 --- a/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json @@ -2,21 +2,53 @@ { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a instance", + "searchKey": "name={{create a instance}}.{{google.cloud.gcp_sql_instance}}", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings should be defined", + "actualValue": "gcp_sql_instance.settings is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a second instance", + "searchKey": "name={{create a second instance}}.{{google.cloud.gcp_sql_instance}}.settings", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.backup_configuration should be defined", + "actualValue": "gcp_sql_instance.settings.backup_configuration is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 24 + "line": 24, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a third instance", + "searchKey": "name={{create a third instance}}.{{google.cloud.gcp_sql_instance}}.settings.backup_configuration", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.backup_configuration.enabled should be defined", + "actualValue": "gcp_sql_instance.settings.backup_configuration.enabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 38 + "line": 38, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a forth instance", + "searchKey": "name={{create a forth instance}}.{{google.cloud.gcp_sql_instance}}.settings.backup_configuration.enabled", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.backup_configuration.require_ssl should be true", + "actualValue": "gcp_sql_instance.settings.backup_configuration.require_ssl is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json index 895e3ab0522..c1cdb2abd51 100644 --- a/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance", + "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.ip_configuration.authorized_networks.name={{google dns server}}.value", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.ip_configuration.authorized_networks.name={{google dns server}}.value address should be trusted", + "actualValue": "gcp_sql_instance.settings.ip_configuration.authorized_networks.name={{google dns server}}.value address is not restricted: '0.0.0.0'", + "issueType": "IncorrectValue" }, { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 24 + "line": 24, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance2", + "searchKey": "name={{sql_instance2}}.{{google.cloud.gcp_sql_instance}}.settings.ip_configuration.ipv4_enabled", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.ip_configuration.ipv4_enabled should be disabled when there are no authorized networks", + "actualValue": "gcp_sql_instance.settings.ip_configuration.ipv4_enabled is enabled when there are no authorized networks", + "issueType": "IncorrectValue" }, { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 34 + "line": 34, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance3", + "searchKey": "name={{sql_instance3}}.{{google.cloud.gcp_sql_instance}}.settings", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.ip_configuration should be defined and allow only trusted networks", + "actualValue": "gcp_sql_instance.settings.ip_configuration is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json index f57970923b9..dc60d43b700 100644 --- a/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json @@ -2,21 +2,53 @@ { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a instance", + "searchKey": "name={{create a instance}}.{{google.cloud.gcp_sql_instance}}", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings should be defined", + "actualValue": "gcp_sql_instance.settings is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 13 + "line": 13, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a second instance", + "searchKey": "name={{create a second instance}}.{{google.cloud.gcp_sql_instance}}.settings", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.ip_configuration should be defined", + "actualValue": "gcp_sql_instance.settings.ip_configuration is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 24 + "line": 24, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a third instance", + "searchKey": "name={{create a third instance}}.{{google.cloud.gcp_sql_instance}}.settings.ip_configuration", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.ip_configuration.require_ssl should be defined", + "actualValue": "gcp_sql_instance.settings.ip_configuration.require_ssl is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 39 + "line": 39, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a forth instance", + "searchKey": "name={{create a forth instance}}.{{google.cloud.gcp_sql_instance}}.settings.ip_configuration.require_ssl", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.ip_configuration.require_ssl should be true", + "actualValue": "gcp_sql_instance.settings.ip_configuration.require_ssl is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/ansible/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json index 87ae2e25edb..f82c8d4527e 100644 --- a/assets/queries/ansible/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_firewall", + "resourceName": "ssh_unrestricted", + "searchKey": "name={{ssh_unrestricted}}.{{google.cloud.gcp_compute_firewall}}.allowed.ip_protocol=tcp.ports", + "searchValue": "", + "expectedValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports shouldn't contain SSH port (22) with unrestricted ingress traffic", + "actualValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports contain SSH port (22) with unrestricted ingress traffic", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/ansible/gcp/stackdriver_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/stackdriver_logging_disabled/test/positive_expected_result.json index 73738c59a3a..ebccb57ab53 100644 --- a/assets/queries/ansible/gcp/stackdriver_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/stackdriver_logging_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Stackdriver Logging Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.logging_service should be defined", + "actualValue": "gcp_container_cluster.logging_service is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stackdriver Logging Disabled", "severity": "MEDIUM", - "line": 32 + "line": 32, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.logging_service", + "searchValue": "", + "expectedValue": "gcp_container_cluster.logging_service should not be 'none'", + "actualValue": "gcp_container_cluster.logging_service is 'none'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json index 325445d9111..5c28fe731d3 100644 --- a/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Stackdriver Monitoring Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.monitoring_service should be defined", + "actualValue": "gcp_container_cluster.monitoring_service is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stackdriver Monitoring Disabled", "severity": "MEDIUM", - "line": 32 + "line": 32, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.monitoring_service", + "searchValue": "", + "expectedValue": "gcp_container_cluster.monitoring_service should not be 'none'", + "actualValue": "gcp_container_cluster.monitoring_service is 'none'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/using_default_service_account/test/positive_expected_result.json b/assets/queries/ansible/gcp/using_default_service_account/test/positive_expected_result.json index 8c434d44683..440ca1c7d78 100644 --- a/assets/queries/ansible/gcp/using_default_service_account/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/using_default_service_account/test/positive_expected_result.json @@ -1,22 +1,54 @@ [ - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 3 - }, - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 57 - }, - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 86 - }, - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 115 - } + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 3, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance1", + "searchKey": "name={{create a instance1}}.{{google.cloud.gcp_compute_instance}}", + "searchValue": "", + "expectedValue": "gcp_compute_instance.service_account_email should be defined", + "actualValue": "gcp_compute_instance.service_account_email is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 57, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance2", + "searchKey": "name={{create a instance2}}.{{google.cloud.gcp_compute_instance}}.service_account_email", + "searchValue": "", + "expectedValue": "gcp_compute_instance.service_account_email should not be empty", + "actualValue": "gcp_compute_instance.service_account_email is empty", + "issueType": "IncorrectValue" + }, + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 86, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance3", + "searchKey": "name={{create a instance3}}.{{google.cloud.gcp_compute_instance}}.service_account_email", + "searchValue": "", + "expectedValue": "gcp_compute_instance.service_account_email should be an email", + "actualValue": "gcp_compute_instance.service_account_email is not an email", + "issueType": "IncorrectValue" + }, + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 115, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance4", + "searchKey": "name={{create a instance4}}.{{google.cloud.gcp_compute_instance}}.service_account_email", + "searchValue": "", + "expectedValue": "gcp_compute_instance.service_account_email should not be a default Google Compute Engine service account", + "actualValue": "gcp_compute_instance.service_account_email is a default Google Compute Engine service account", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/gcp/vm_with_full_cloud_access/test/positive_expected_result.json b/assets/queries/ansible/gcp/vm_with_full_cloud_access/test/positive_expected_result.json index ace8a7b988f..a8a7481dc6c 100644 --- a/assets/queries/ansible/gcp/vm_with_full_cloud_access/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/vm_with_full_cloud_access/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "VM With Full Cloud Access", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance", + "searchKey": "name={{create a instance}}.{{google.cloud.gcp_compute_instance}}.service_accounts", + "searchValue": "", + "expectedValue": "gcp_compute_instance.service_accounts.scopes should not contain 'cloud-platform'", + "actualValue": "gcp_compute_instance.service_accounts.scopes contains 'cloud-platform'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/general/communication_over_http/test/positive_expected_result.json b/assets/queries/ansible/general/communication_over_http/test/positive_expected_result.json index 82b40927d37..b5b260fc035 100644 --- a/assets/queries/ansible/general/communication_over_http/test/positive_expected_result.json +++ b/assets/queries/ansible/general/communication_over_http/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Communication Over HTTP", - "severity": "MEDIUM", - "line": 6, - "filename": "positive1.yaml" - } -] \ No newline at end of file + { + "queryName": "Communication Over HTTP", + "severity": "MEDIUM", + "line": 6, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.uri", + "resourceName": "Verificar o status do site", + "searchKey": "name={{Verificar o status do site}}.{{ansible.builtin.uri}}.url", + "searchValue": "", + "expectedValue": "ansible.builtin.uri.url should be accessed via the HTTPS protocol", + "actualValue": "ansible.builtin.uri.url is accessed via the HTTP protocol'", + "issueType": "IncorrectValue" + } +] diff --git a/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json b/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json index d18625872a6..ea55853985b 100644 --- a/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json +++ b/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Insecure Relative Path Resolution", - "severity": "LOW", - "line": 7, - "fileName": "positive1.yaml" - }, - { - "queryName": "Insecure Relative Path Resolution", - "severity": "LOW", - "line": 12, - "fileName": "positive1.yaml" - } + { + "queryName": "Insecure Relative Path Resolution", + "severity": "LOW", + "line": 7, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.template", + "resourceName": "One", + "searchKey": "name={{One}}.{{ansible.builtin.template}}.src", + "searchValue": "", + "expectedValue": "ansible.builtin.template.src should not be a relative path", + "actualValue": "ansible.builtin.template.src is a relative path", + "issueType": "IncorrectValue" + }, + { + "queryName": "Insecure Relative Path Resolution", + "severity": "LOW", + "line": 12, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.copy", + "resourceName": "Two", + "searchKey": "name={{Two}}.{{ansible.builtin.copy}}.src", + "searchValue": "", + "expectedValue": "ansible.builtin.copy.src should not be a relative path", + "actualValue": "ansible.builtin.copy.src is a relative path", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json b/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json index fd7f628c92d..5362bfee868 100644 --- a/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json +++ b/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Logging of Sensitive Data", - "severity": "LOW", - "line": 14, - "fileName": "positive1.yaml" - }, - { - "queryName": "Logging of Sensitive Data", - "severity": "LOW", - "line": 5, - "fileName": "positive2.yaml" - } -] \ No newline at end of file + { + "queryName": "Logging of Sensitive Data", + "severity": "LOW", + "line": 14, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.user", + "resourceName": "bar", + "searchKey": "name={{bar}}.no_log", + "searchValue": "", + "expectedValue": "'no_log' should be set to 'true' in order to not expose sensitive data", + "actualValue": "'no_log' is set to false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Logging of Sensitive Data", + "severity": "LOW", + "line": 5, + "filename": "positive2.yaml", + "resourceType": "ansible.builtin.user", + "resourceName": "bar", + "searchKey": "name={{bar}}", + "searchValue": "", + "expectedValue": "'no_log' should be defined and set to 'true' in order to not expose sensitive data", + "actualValue": "'no_log' is not defined", + "issueType": "MissingAttribute" + } +] diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json index 9f87ac0816f..e423f27c8e3 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json @@ -1,38 +1,80 @@ [ - { - "queryName": "Privilege Escalation Using Become Plugin", - "severity": "MEDIUM", - "line": 4, - "fileName": "positive1.yaml" - }, - { - "queryName": "Privilege Escalation Using Become Plugin", - "severity": "MEDIUM", - "line": 15, - "fileName": "positive1.yaml" - }, - { - "queryName": "Privilege Escalation Using Become Plugin", - "severity": "MEDIUM", - "line": 31, - "fileName": "positive1.yaml" - }, - { - "queryName": "Privilege Escalation Using Become Plugin", - "severity": "MEDIUM", - "line": 44, - "fileName": "positive1.yaml" - }, - { - "queryName": "Privilege Escalation Using Become Plugin", - "severity": "MEDIUM", - "line": 53, - "fileName": "positive1.yaml" - }, - { - "queryName": "Privilege Escalation Using Become Plugin", - "severity": "MEDIUM", - "line": 61, - "fileName": "positive1.yaml" - } -] \ No newline at end of file + { + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "line": 4, + "filename": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "become_user={{bar}}", + "searchValue": "", + "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with bar", + "actualValue": "'become' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "line": 15, + "filename": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "become", + "searchValue": "", + "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with root", + "actualValue": "'become' is set to 'false'", + "issueType": "MissingAttribute" + }, + { + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "line": 31, + "filename": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "name={{Sample become_user}}.become_user={{foo}}", + "searchValue": "", + "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with foo", + "actualValue": "'become' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "line": 44, + "filename": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "name={{Sample become_user}}.become_user={{postgres}}.become", + "searchValue": "", + "expectedValue": "'become' should be to 'true' in order to perform an action with postgres", + "actualValue": "'become' is set to 'false'", + "issueType": "MissingAttribute" + }, + { + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "line": 53, + "filename": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "name={{become_user with become task as false}}.become_user={{mongodb}}.become", + "searchValue": "", + "expectedValue": "'become' should be to 'true' in order to perform an action with mongodb", + "actualValue": "'become' is set to 'false'", + "issueType": "MissingAttribute" + }, + { + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "line": 61, + "filename": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "name={{become_user without become}}.become_user={{mysql}}", + "searchValue": "", + "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with mysql", + "actualValue": "'become' is not defined", + "issueType": "MissingAttribute" + } +] diff --git a/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json b/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json index 96a4bfa8502..2a630fa9754 100644 --- a/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json +++ b/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json @@ -1,62 +1,132 @@ [ - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 5 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 13 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 17 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 25 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 29 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 38 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 46 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 55 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 64 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 74 - } -] \ No newline at end of file + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 5, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.file", + "resourceName": "not preserve value", + "searchKey": "name={{not preserve value}}.{{ansible.builtin.file}}", + "searchValue": "", + "expectedValue": "ansible.builtin.file does not allow setting 'preserve' value for 'mode' key", + "actualValue": "'Mode' key of ansible.builtin.file is set to 'preserve'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 13, + "filename": "positive1.yaml", + "resourceType": "file", + "resourceName": "Permissions missing", + "searchKey": "name={{Permissions missing}}.{{file}}", + "searchValue": "", + "expectedValue": "All the permissions set in file about creating files/directories", + "actualValue": "There are some permissions missing in file and might create directory/file", + "issueType": "MissingAttribute" + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 17, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.file", + "resourceName": "Permissions missing 2x", + "searchKey": "name={{Permissions missing 2x}}.{{ansible.builtin.file}}", + "searchValue": "", + "expectedValue": "All the permissions set in ansible.builtin.file about creating files/directories", + "actualValue": "There are some permissions missing in ansible.builtin.file and might create directory/file", + "issueType": "MissingAttribute" + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 25, + "filename": "positive1.yaml", + "resourceType": "file", + "resourceName": "Permissions missing 3x", + "searchKey": "name={{Permissions missing 3x}}.{{file}}", + "searchValue": "", + "expectedValue": "All the permissions set in file about creating files/directories", + "actualValue": "There are some permissions missing in file and might create directory/file", + "issueType": "MissingAttribute" + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 29, + "filename": "positive1.yaml", + "resourceType": "false", + "resourceName": "create is true", + "searchKey": "name={{create is true}}.{{ansible.builtin.lineinfile}}", + "searchValue": "", + "expectedValue": "ansible.builtin.lineinfile 'create' key should set to 'false' or 'mode' key should be defined", + "actualValue": "ansible.builtin.lineinfile 'create' key is set to 'true' and 'mode' key is not defined", + "issueType": "IncorrectValue" + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 38, + "filename": "positive1.yaml", + "resourceType": "get_url", + "resourceName": "Permissions missing 4x", + "searchKey": "name={{Permissions missing 4x}}.{{get_url}}", + "searchValue": "", + "expectedValue": "All the permissions set in get_url about creating files/directories", + "actualValue": "There are some permissions missing in get_url and might create directory/file", + "issueType": "MissingAttribute" + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 46, + "filename": "positive1.yaml", + "resourceType": "false", + "resourceName": "create is true 2x", + "searchKey": "name={{create is true 2x}}.{{ansible.builtin.lineinfile}}", + "searchValue": "", + "expectedValue": "ansible.builtin.lineinfile 'create' key should set to 'false' or 'mode' key should be defined", + "actualValue": "ansible.builtin.lineinfile 'create' key is set to 'true' and 'mode' key is not defined", + "issueType": "IncorrectValue" + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 55, + "filename": "positive1.yaml", + "resourceType": "replace", + "resourceName": "not preserve mode 2x", + "searchKey": "name={{not preserve mode 2x}}.{{replace}}", + "searchValue": "", + "expectedValue": "replace does not allow setting 'preserve' value for 'mode' key", + "actualValue": "'Mode' key of replace is set to 'preserve'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 64, + "filename": "positive1.yaml", + "resourceType": "file", + "resourceName": "Not Permissions", + "searchKey": "name={{Not Permissions}}.{{file}}", + "searchValue": "", + "expectedValue": "All the permissions set in file about creating files/directories", + "actualValue": "There are some permissions missing in file and might create directory/file", + "issueType": "MissingAttribute" + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 74, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.lineinfile", + "resourceName": "create_false", + "searchKey": "name={{create_false}}.{{ansible.builtin.lineinfile}}", + "searchValue": "", + "expectedValue": "ansible.builtin.lineinfile does not allow setting 'preserve' value for 'mode' key", + "actualValue": "'Mode' key of ansible.builtin.lineinfile is set to 'preserve'", + "issueType": "IncorrectValue" + } +] diff --git a/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json b/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json index f67cb49ccc2..379b8acb319 100644 --- a/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json +++ b/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json @@ -1,158 +1,340 @@ [ - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 8 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 13 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 18 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 23 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 29 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 34 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 40 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 44 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 50 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 55 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 60 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 65 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 74 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 79 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 84 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 89 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 94 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 101 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 106 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 111 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 116 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 121 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 130 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 136 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 144 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 149 - } -] \ No newline at end of file + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 8, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.yum", + "resourceName": "Install Ansible", + "searchKey": "name={{Install Ansible}}.{{ansible.builtin.yum}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 13, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.pip", + "resourceName": "Install Ansible-lint", + "searchKey": "name={{Install Ansible-lint}}.{{ansible.builtin.pip}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 18, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.package", + "resourceName": "Install some-package", + "searchKey": "name={{Install some-package}}.{{ansible.builtin.package}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 23, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.yum", + "resourceName": "Install Ansible with update_only to false", + "searchKey": "name={{Install Ansible with update_only to false}}.{{ansible.builtin.yum}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 29, + "filename": "positive1.yaml", + "resourceType": "community.general.zypper", + "resourceName": "Install nmap", + "searchKey": "name={{Install nmap}}.{{community.general.zypper}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 34, + "filename": "positive1.yaml", + "resourceType": "community.general.apk", + "resourceName": "Install package without using cache", + "searchKey": "name={{Install package without using cache}}.{{community.general.apk}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 40, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.apt", + "resourceName": "Install apache httpd", + "searchKey": "name={{Install apache httpd}}.{{ansible.builtin.apt}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 44, + "filename": "positive1.yaml", + "resourceType": "community.general.bundler", + "resourceName": "Update Gemfile in another directory", + "searchKey": "name={{Update Gemfile in another directory}}.{{community.general.bundler}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 50, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.dnf", + "resourceName": "Install a modularity appstream with defined profile", + "searchKey": "name={{Install a modularity appstream with defined profile}}.{{ansible.builtin.dnf}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 55, + "filename": "positive1.yaml", + "resourceType": "community.general.gem", + "resourceName": "Install rake", + "searchKey": "name={{Install rake}}.{{community.general.gem}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 60, + "filename": "positive1.yaml", + "resourceType": "community.general.homebrew", + "resourceName": "Install formula foo with 'brew' from cask", + "searchKey": "name={{Install formula foo with 'brew' from cask}}.{{community.general.homebrew}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 65, + "filename": "positive1.yaml", + "resourceType": "community.general.jenkins_plugin", + "resourceName": "Install Green Balls plugin", + "searchKey": "name={{Install Green Balls plugin}}.{{community.general.jenkins_plugin}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 74, + "filename": "positive1.yaml", + "resourceType": "community.general.npm", + "resourceName": "Install packages based on package.json", + "searchKey": "name={{Install packages based on package.json}}.{{community.general.npm}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 79, + "filename": "positive1.yaml", + "resourceType": "community.general.openbsd_pkg", + "resourceName": "Install nmap", + "searchKey": "name={{Install nmap}}.{{community.general.openbsd_pkg}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 84, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.package", + "resourceName": "Install ntpdate", + "searchKey": "name={{Install ntpdate}}.{{ansible.builtin.package}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 89, + "filename": "positive1.yaml", + "resourceType": "community.general.pacman", + "resourceName": "Install package bar from file", + "searchKey": "name={{Install package bar from file}}.{{community.general.pacman}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 94, + "filename": "positive1.yaml", + "resourceType": "community.general.pkg5", + "resourceName": "Install finger daemon", + "searchKey": "name={{Install finger daemon}}.{{community.general.pkg5}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 101, + "filename": "positive1.yaml", + "resourceType": "community.general.pkgutil", + "resourceName": "Install several packages", + "searchKey": "name={{Install several packages}}.{{community.general.pkgutil}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 106, + "filename": "positive1.yaml", + "resourceType": "community.general.portage", + "resourceName": "Install package foo", + "searchKey": "name={{Install package foo}}.{{community.general.portage}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 111, + "filename": "positive1.yaml", + "resourceType": "community.general.slackpkg", + "resourceName": "Make sure that it is the most updated package", + "searchKey": "name={{Make sure that it is the most updated package}}.{{community.general.slackpkg}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 116, + "filename": "positive1.yaml", + "resourceType": "community.general.sorcery", + "resourceName": "Make sure spell foo is installed", + "searchKey": "name={{Make sure spell foo is installed}}.{{community.general.sorcery}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 121, + "filename": "positive1.yaml", + "resourceType": "community.general.swdepot", + "resourceName": "Install package unzip", + "searchKey": "name={{Install package unzip}}.{{community.general.swdepot}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 130, + "filename": "positive1.yaml", + "resourceType": "win_chocolatey", + "resourceName": "Install multiple packages", + "searchKey": "name={{Install multiple packages}}.{{win_chocolatey}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 136, + "filename": "positive1.yaml", + "resourceType": "community.general.yarn", + "resourceName": "Install \"imagemin\" node.js package globally.", + "searchKey": "name={{Install \"imagemin\" node.js package globally.}}.{{community.general.yarn}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 144, + "filename": "positive1.yaml", + "resourceType": "ansible.builtin.yum", + "resourceName": "Install a list of packages (suitable replacement for 2.11 loop deprecation warning)", + "searchKey": "name={{Install a list of packages (suitable replacement for 2.11 loop deprecation warning)}}.{{ansible.builtin.yum}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 149, + "filename": "positive1.yaml", + "resourceType": "community.general.zypper", + "resourceName": "Install local rpm file", + "searchKey": "name={{Install local rpm file}}.{{community.general.zypper}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue" + } +] diff --git a/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/test/positive_expected_result.json b/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/test/positive_expected_result.json index 1f10687fd09..3a3b43ec164 100644 --- a/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/test/positive_expected_result.json +++ b/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Ansible Tower Exposed To Internet", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.ini" + "filename": "positive1.ini", + "resourceType": "n/a", + "resourceName": "children", + "searchKey": "[tower]", + "searchValue": "", + "expectedValue": "Ansible Tower IP should be private", + "actualValue": "Ansible Tower IP is public", + "issueType": "IncorrectValue" }, { "queryName": "Ansible Tower Exposed To Internet", "severity": "MEDIUM", "line": 24, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "n/a", + "resourceName": "children", + "searchKey": "all.children.tower.hosts", + "searchValue": "", + "expectedValue": "Ansible Tower IP should be private", + "actualValue": "Ansible Tower IP is public", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/azureResourceManager/account_admins_not_notified_by_email/test/positive_expected_result.json b/assets/queries/azureResourceManager/account_admins_not_notified_by_email/test/positive_expected_result.json index 8c4c5e42123..54c74a67951 100644 --- a/assets/queries/azureResourceManager/account_admins_not_notified_by_email/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/account_admins_not_notified_by_email/test/positive_expected_result.json @@ -2,49 +2,105 @@ { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 14, - "filename": "positive1.json" + "line": 4, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "resources.name={{sample/server/default}}.properties.emailAccountAdmins", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins property value should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 13, - "filename": "positive2.json" + "line": 14, + "filename": "positive1.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "resources.name={{sample/server/default}}.properties.emailAccountAdmins", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins property value should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 16, - "filename": "positive3.json" + "line": 3, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "resources.name={{sample/server/default}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing", + "issueType": "MissingAttribute" }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 15, - "filename": "positive4.json" + "line": 13, + "filename": "positive2.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "resources.name={{sample/server/default}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing", + "issueType": "MissingAttribute" }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", "line": 4, - "filename": "positive1.bicep" - }, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "resources.name={{sample/server/default}}.properties.emailAccountAdmins", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins property value should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false", + "issueType": "IncorrectValue" + }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 3, - "filename": "positive2.bicep" + "line": 16, + "filename": "positive3.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "properties.template.resources.name={{sample/server/default}}.properties.emailAccountAdmins", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins property value should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 4, - "filename": "positive3.bicep" + "line": 3, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "resources.name={{sample/server/default}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing", + "issueType": "MissingAttribute" }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 3, - "filename": "positive4.bicep" + "line": 15, + "filename": "positive4.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "properties.template.resources.name={{sample/server/default}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/test/positive_expected_result.json index 31a9ddc78c3..efe27b62eef 100644 --- a/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/test/positive_expected_result.json @@ -2,49 +2,105 @@ { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 6, - "filename": "positive1.json" + "line": 2, + "filename": "positive1.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 37, - "filename": "positive2.json" + "line": 6, + "filename": "positive1.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 8, - "filename": "positive3.json" + "line": 31, + "filename": "positive2.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.networkProfile.networkPolicy", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is empty", + "issueType": "IncorrectValue" }, { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 39, - "filename": "positive4.json" + "line": 37, + "filename": "positive2.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.networkProfile.networkPolicy", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is empty", + "issueType": "IncorrectValue" }, { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", "line": 2, - "filename": "positive1.bicep" + "filename": "positive3.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 31, - "filename": "positive2.bicep" + "line": 8, + "filename": "positive3.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 2, - "filename": "positive3.bicep" + "line": 31, + "filename": "positive4.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.networkProfile.networkPolicy", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is empty", + "issueType": "IncorrectValue" }, { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 31, - "filename": "positive4.bicep" + "line": 39, + "filename": "positive4.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1.properties.networkProfile.networkPolicy", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is empty", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/test/positive_expected_result.json index 70cdf5c8a8f..87e0a908d18 100644 --- a/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/test/positive_expected_result.json @@ -2,49 +2,105 @@ { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 14, - "fileName": "positive1.json" + "line": 4, + "filename": "positive1.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name={{aksCluster1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property defined", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 36, - "fileName": "positive2.json" + "line": 14, + "filename": "positive1.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name={{aksCluster1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property defined", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 16, - "fileName": "positive3.json" + "line": 26, + "filename": "positive2.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name={{aksCluster1}}.properties.enableRBAC", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property value set to true", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)", + "issueType": "IncorrectValue" }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 38, - "fileName": "positive4.json" + "line": 36, + "filename": "positive2.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name={{aksCluster1}}.properties.enableRBAC", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property value set to true", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)", + "issueType": "IncorrectValue" }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", "line": 4, - "fileName": "positive1.bicep" + "filename": "positive3.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name={{aksCluster1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property defined", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 26, - "fileName": "positive2.bicep" + "line": 16, + "filename": "positive3.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name={{aksCluster1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property defined", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 4, - "fileName": "positive3.bicep" + "line": 26, + "filename": "positive4.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name={{aksCluster1}}.properties.enableRBAC", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property value set to true", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)", + "issueType": "IncorrectValue" }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 26, - "fileName": "positive4.bicep" + "line": 38, + "filename": "positive4.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name={{aksCluster1}}.properties.enableRBAC", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property value set to true", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/aks_dashboard_enabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_dashboard_enabled/test/positive_expected_result.json index 2a226e8456a..be32cd0c6c2 100644 --- a/assets/queries/azureResourceManager/aks_dashboard_enabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_dashboard_enabled/test/positive_expected_result.json @@ -2,25 +2,53 @@ { "queryName": "AKS Dashboard Is Enabled", "severity": "LOW", - "line": 14, - "filename": "positive1.json" + "line": 8, + "filename": "positive1.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.addonProfiles.kubeDashboard.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.kubeDashboard.enabled' should be defined and false", + "actualValue": "'addonProfiles.kubeDashboard.enabled' property value is false", + "issueType": "IncorrectValue" }, { "queryName": "AKS Dashboard Is Enabled", "severity": "LOW", - "line": 16, - "filename": "positive2.json" + "line": 14, + "filename": "positive1.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.addonProfiles.kubeDashboard.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.kubeDashboard.enabled' should be defined and false", + "actualValue": "'addonProfiles.kubeDashboard.enabled' property value is false", + "issueType": "IncorrectValue" }, { "queryName": "AKS Dashboard Is Enabled", "severity": "LOW", "line": 8, - "filename": "positive1.bicep" + "filename": "positive2.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.addonProfiles.kubeDashboard.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.kubeDashboard.enabled' should be defined and false", + "actualValue": "'addonProfiles.kubeDashboard.enabled' property value is false", + "issueType": "IncorrectValue" }, { "queryName": "AKS Dashboard Is Enabled", "severity": "LOW", - "line": 8, - "filename": "positive2.bicep" + "line": 16, + "filename": "positive2.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1.properties.addonProfiles.kubeDashboard.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.kubeDashboard.enabled' should be defined and false", + "actualValue": "'addonProfiles.kubeDashboard.enabled' property value is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/test/positive_expected_result.json index 1f589057ff2..5c11f896091 100644 --- a/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/test/positive_expected_result.json @@ -2,49 +2,105 @@ { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 14, - "filename": "positive1.json" + "line": 8, + "filename": "positive1.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.addonProfiles.omsagent.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive2.json" + "line": 14, + "filename": "positive1.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.addonProfiles.omsagent.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 16, - "filename": "positive3.json" + "line": 2, + "filename": "positive2.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive4.json" + "line": 6, + "filename": "positive2.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive1.bicep" + "filename": "positive3.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.addonProfiles.omsagent.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 2, - "filename": "positive2.bicep" + "line": 16, + "filename": "positive3.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1.properties.addonProfiles.omsagent.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive3.bicep" + "line": 2, + "filename": "positive4.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 2, - "filename": "positive4.bicep" + "line": 8, + "filename": "positive4.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/test/positive_expected_result.json index 5c44f1fdc75..dbb8aaf034f 100644 --- a/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/test/positive_expected_result.json @@ -2,121 +2,261 @@ { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 8, - "filename": "positive1.json" + "line": 1, + "filename": "positive1.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.apiVersion", + "searchValue": "", + "expectedValue": "'apiVersion' should be '2019-02-01' or newer", + "actualValue": "'apiVersion' is 2017-08-31", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 6, - "filename": "positive2.json" + "line": 8, + "filename": "positive1.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.apiVersion", + "searchValue": "", + "expectedValue": "'apiVersion' should be '2019-02-01' or newer", + "actualValue": "'apiVersion' is 2017-08-31", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 36, - "filename": "positive3.json" + "line": 31, + "filename": "positive10.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.apiServerAccessProfile.authorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 6, - "filename": "positive4.json" + "line": 39, + "filename": "positive10.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1.properties.apiServerAccessProfile.authorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 37, - "filename": "positive5.json" + "line": 2, + "filename": "positive2.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 10, - "filename": "positive6.json" + "line": 6, + "filename": "positive2.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 8, - "filename": "positive7.json" + "line": 30, + "filename": "positive3.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.apiServerAuthorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is empty", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 38, - "filename": "positive8.json" + "line": 36, + "filename": "positive3.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.apiServerAuthorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is empty", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 8, - "filename": "positive9.json" + "line": 2, + "filename": "positive4.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 39, - "filename": "positive10.json" + "line": 6, + "filename": "positive4.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 1, - "filename": "positive1.bicep" + "line": 31, + "filename": "positive5.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.apiServerAccessProfile.authorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 2, - "filename": "positive2.bicep" + "line": 37, + "filename": "positive5.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.apiServerAccessProfile.authorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 30, - "filename": "positive3.bicep" + "line": 1, + "filename": "positive6.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.apiVersion", + "searchValue": "", + "expectedValue": "'apiVersion' should be '2019-02-01' or newer", + "actualValue": "'apiVersion' is 2017-08-31", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 2, - "filename": "positive4.bicep" + "line": 10, + "filename": "positive6.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1.apiVersion", + "searchValue": "", + "expectedValue": "'apiVersion' should be '2019-02-01' or newer", + "actualValue": "'apiVersion' is 2017-08-31", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 31, - "filename": "positive5.bicep" + "line": 2, + "filename": "positive7.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 1, - "filename": "positive6.bicep" + "line": 8, + "filename": "positive7.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 2, - "filename": "positive7.bicep" + "line": 30, + "filename": "positive8.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.apiServerAuthorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is empty", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 30, - "filename": "positive8.bicep" + "line": 38, + "filename": "positive8.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1.properties.apiServerAuthorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is empty", + "issueType": "IncorrectValue" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", "line": 2, - "filename": "positive9.bicep" + "filename": "positive9.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 31, - "filename": "positive10.bicep" + "line": 8, + "filename": "positive9.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/app_service_authentication_not_set/test/positive_expected_result.json b/assets/queries/azureResourceManager/app_service_authentication_not_set/test/positive_expected_result.json index d3571dede33..532fa8dad0e 100644 --- a/assets/queries/azureResourceManager/app_service_authentication_not_set/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/app_service_authentication_not_set/test/positive_expected_result.json @@ -2,97 +2,209 @@ { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 37, - "fileName": "positive1.json" + "line": 33, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 33, - "fileName": "positive2.json" + "line": 37, + "filename": "positive1.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 44, - "fileName": "positive3.json" + "line": 31, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 40, - "fileName": "positive4.json" + "line": 33, + "filename": "positive2.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 39, - "fileName": "positive5.json" + "line": 33, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 35, - "fileName": "positive6.json" + "line": 44, + "filename": "positive3.json", + "resourceType": "Microsoft.Web/sites/config", + "resourceName": "webApp1/authsettings", + "searchKey": "resources.name=webApp1/authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 46, - "fileName": "positive7.json" + "line": 31, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 42, - "fileName": "positive8.json" + "line": 40, + "filename": "positive4.json", + "resourceType": "Microsoft.Web/sites/config", + "resourceName": "webApp1/authsettings", + "searchKey": "resources.name=webApp1/authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", "line": 33, - "fileName": "positive1.bicep" + "filename": "positive5.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 31, - "fileName": "positive2.bicep" + "line": 39, + "filename": "positive5.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "properties.template.resources.name=webApp1.resources.name=authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 33, - "fileName": "positive3.bicep" + "line": 31, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 31, - "fileName": "positive4.bicep" + "line": 35, + "filename": "positive6.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "properties.template.resources.name=webApp1.resources.name=authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", "line": 33, - "fileName": "positive5.bicep" + "filename": "positive7.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 31, - "fileName": "positive6.bicep" + "line": 46, + "filename": "positive7.json", + "resourceType": "Microsoft.Web/sites/config", + "resourceName": "webApp1/authsettings", + "searchKey": "properties.template.resources.name=webApp1/authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 33, - "fileName": "positive7.bicep" + "line": 31, + "filename": "positive8.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 31, - "fileName": "positive8.bicep" + "line": 42, + "filename": "positive8.json", + "resourceType": "Microsoft.Web/sites/config", + "resourceName": "webApp1/authsettings", + "searchKey": "properties.template.resources.name=webApp1/authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/test/positive_expected_result.json b/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/test/positive_expected_result.json index 9b56de65a46..998e14937d7 100644 --- a/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/test/positive_expected_result.json @@ -2,49 +2,105 @@ { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 53, - "filename": "positive1.json" + "line": 27, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'disablePasswordAuthentication' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 40, - "filename": "positive2.json" + "line": 53, + "filename": "positive1.json", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'disablePasswordAuthentication' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 55, - "filename": "positive3.json" + "line": 17, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "resources.name=[variables('vmName')]", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 42, - "filename": "positive4.json" + "line": 40, + "filename": "positive2.json", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "resources.name=[variables('vmName')]", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", "line": 27, - "filename": "positive1.bicep" + "filename": "positive3.bicep", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'disablePasswordAuthentication' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 17, - "filename": "positive2.bicep" + "line": 55, + "filename": "positive3.json", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "properties.template.resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'disablePasswordAuthentication' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 27, - "filename": "positive3.bicep" + "line": 17, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "resources.name=[variables('vmName')]", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 17, - "filename": "positive4.bicep" + "line": 42, + "filename": "positive4.json", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "properties.template.resources.name=[variables('vmName')]", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/test/positive_expected_result.json b/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/test/positive_expected_result.json index f69a151c8c5..d6e181462f6 100644 --- a/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/test/positive_expected_result.json @@ -2,49 +2,105 @@ { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 30, - "filename": "positive1.json" + "line": 18, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "['${variables('vmName')}-disk1']", + "searchKey": "resources.name=['${variables('vmName')}-disk1'].properties.encryptionSettingsCollection.enabled", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 19, - "filename": "positive2.json" + "line": 30, + "filename": "positive1.json", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "[concat(variables('vmName'),'-disk1')]", + "searchKey": "resources.name=[concat(variables('vmName'),'-disk1')].properties.encryptionSettingsCollection.enabled", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 32, - "filename": "positive3.json" + "line": 7, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "['${variables('vmName')}-disk1']", + "searchKey": "resources.name=['${variables('vmName')}-disk1']", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 21, - "filename": "positive4.json" + "line": 19, + "filename": "positive2.json", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "[concat(variables('vmName'),'-disk1')]", + "searchKey": "resources.name=[concat(variables('vmName'),'-disk1')]", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", "line": 18, - "filename": "positive1.bicep" + "filename": "positive3.bicep", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "['${variables('vmName')}-disk1']", + "searchKey": "resources.name=['${variables('vmName')}-disk1'].properties.encryptionSettingsCollection.enabled", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 7, - "filename": "positive2.bicep" + "line": 32, + "filename": "positive3.json", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "[concat(variables('vmName'),'-disk1')]", + "searchKey": "properties.template.resources.name=[concat(variables('vmName'),'-disk1')].properties.encryptionSettingsCollection.enabled", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 18, - "filename": "positive3.bicep" + "line": 7, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "['${variables('vmName')}-disk1']", + "searchKey": "resources.name=['${variables('vmName')}-disk1']", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 7, - "filename": "positive4.bicep" + "line": 21, + "filename": "positive4.json", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "[concat(variables('vmName'),'-disk1')]", + "searchKey": "properties.template.resources.name=[concat(variables('vmName'),'-disk1')]", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json b/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json index 51ce6bdf54a..1d3e7d54d38 100644 --- a/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json @@ -2,37 +2,79 @@ { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 13, - "fileName": "positive1.json" + "line": 12, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "positive1", + "searchKey": "resources.name=positive1.properties.networkAcls.defaultAction", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' networkAcls.defaultAction is set to 'Allow')", + "issueType": "IncorrectValue" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 11, - "fileName": "positive2.json" + "line": 13, + "filename": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "positive1", + "searchKey": "resources.name=positive1.properties.networkAcls.defaultAction", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' networkAcls.defaultAction is set to 'Allow')", + "issueType": "IncorrectValue" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 12, - "fileName": "positive3.json" + "line": 10, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "positive2", + "searchKey": "resources.name=positive2.properties.publicNetworkAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is not set (default is 'Enabled')", + "issueType": "MissingAttribute" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 12, - "fileName": "positive1.bicep" + "line": 11, + "filename": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "positive2", + "searchKey": "resources.name=positive2.properties.publicNetworkAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is not set (default is 'Enabled')", + "issueType": "MissingAttribute" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 10, - "fileName": "positive2.bicep" + "line": 11, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "positive3", + "searchKey": "resources.name=positive3.properties.publicNetworkAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is set to 'Enabled')", + "issueType": "IncorrectValue" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 11, - "fileName": "positive3.bicep" + "line": 12, + "filename": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "positive3", + "searchKey": "resources.name=positive3.properties.publicNetworkAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is set to 'Enabled')", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/email_notifications_set_off/test/positive_expected_result.json b/assets/queries/azureResourceManager/email_notifications_set_off/test/positive_expected_result.json index 205542f4c46..bd3bf684e39 100644 --- a/assets/queries/azureResourceManager/email_notifications_set_off/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/email_notifications_set_off/test/positive_expected_result.json @@ -2,145 +2,313 @@ { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 17, - "filename": "positive1.json" + "line": 7, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'", + "issueType": "IncorrectValue" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 13, - "filename": "positive2.json" + "line": 17, + "filename": "positive1.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'", + "issueType": "IncorrectValue" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 16, - "filename": "positive3.json" + "line": 3, + "filename": "positive10.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 13, - "filename": "positive4.json" + "line": 15, + "filename": "positive10.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "properties.template.resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 21, - "filename": "positive5.json" + "line": 11, + "filename": "positive11.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'", + "issueType": "IncorrectValue" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 20, - "filename": "positive6.json" + "line": 23, + "filename": "positive11.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "properties.template.resources.name={{security contact}}.properties.notificationsByRole.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'", + "issueType": "IncorrectValue" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 19, - "filename": "positive7.json" + "line": 10, + "filename": "positive12.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 15, - "filename": "positive8.json" + "line": 22, + "filename": "positive12.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "properties.template.resources.name={{security contact}}.properties.notificationsByRole", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 18, - "filename": "positive9.json" + "line": 3, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 15, - "filename": "positive10.json" + "line": 13, + "filename": "positive2.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 23, - "filename": "positive11.json" + "line": 6, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 22, - "filename": "positive12.json" + "line": 16, + "filename": "positive3.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 7, - "filename": "positive1.bicep" + "line": 3, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 3, - "filename": "positive2.bicep" + "line": 13, + "filename": "positive4.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 6, - "filename": "positive3.bicep" + "line": 11, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'", + "issueType": "IncorrectValue" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 3, - "filename": "positive4.bicep" + "line": 21, + "filename": "positive5.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'", + "issueType": "IncorrectValue" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 11, - "filename": "positive5.bicep" + "line": 10, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 10, - "filename": "positive6.bicep" + "line": 20, + "filename": "positive6.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", "line": 7, - "filename": "positive7.bicep" + "filename": "positive7.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'", + "issueType": "IncorrectValue" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 3, - "filename": "positive8.bicep" + "line": 19, + "filename": "positive7.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "properties.template.resources.name={{security contact}}.properties.alertNotifications.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'", + "issueType": "IncorrectValue" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 6, - "filename": "positive9.bicep" + "line": 3, + "filename": "positive8.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 3, - "filename": "positive10.bicep" + "line": 15, + "filename": "positive8.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "properties.template.resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 11, - "filename": "positive11.bicep" + "line": 6, + "filename": "positive9.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 10, - "filename": "positive12.bicep" + "line": 18, + "filename": "positive9.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "properties.template.resources.name={{security contact}}.properties.alertNotifications", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/test/positive_expected_result.json b/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/test/positive_expected_result.json index 66a1cf66b62..98f38be116c 100644 --- a/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/test/positive_expected_result.json @@ -2,25 +2,53 @@ { "queryName": "Hardcoded SecureString Parameter Default Value", "severity": "HIGH", - "line": 7, - "fileName": "positive1.json" + "line": 2, + "filename": "positive1.bicep", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "parameters.adminPassword.defaultValue", + "searchValue": "", + "expectedValue": "parameters.adminPassword.defaultValue should not be hardcoded", + "actualValue": "parameters.adminPassword.defaultValue is hardcoded", + "issueType": "IncorrectValue" }, { "queryName": "Hardcoded SecureString Parameter Default Value", "severity": "HIGH", - "line": 9, - "fileName": "positive2.json" + "line": 7, + "filename": "positive1.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "parameters.adminPassword.defaultValue", + "searchValue": "", + "expectedValue": "parameters.adminPassword.defaultValue should not be hardcoded", + "actualValue": "parameters.adminPassword.defaultValue is hardcoded", + "issueType": "IncorrectValue" }, { "queryName": "Hardcoded SecureString Parameter Default Value", "severity": "HIGH", "line": 2, - "fileName": "positive1.bicep" + "filename": "positive2.bicep", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "parameters.adminPassword.defaultValue", + "searchValue": "", + "expectedValue": "parameters.adminPassword.defaultValue should not be hardcoded", + "actualValue": "parameters.adminPassword.defaultValue is hardcoded", + "issueType": "IncorrectValue" }, { "queryName": "Hardcoded SecureString Parameter Default Value", "severity": "HIGH", - "line": 2, - "fileName": "positive2.bicep" + "line": 9, + "filename": "positive2.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "parameters.adminPassword.defaultValue", + "searchValue": "", + "expectedValue": "parameters.adminPassword.defaultValue should not be hardcoded", + "actualValue": "parameters.adminPassword.defaultValue is hardcoded", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json b/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json index aedb11e80d1..a0f2068346c 100644 --- a/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json @@ -2,73 +2,157 @@ { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 15, - "fileName": "positive1.json" + "line": 5, + "filename": "positive1.bicep", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "resources.name={{keyVaultInstance}}.properties", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 39, - "fileName": "positive2.json" + "line": 15, + "filename": "positive1.json", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "resources.name={{keyVaultInstance}}.properties", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 17, - "fileName": "positive3.json" + "line": 27, + "filename": "positive2.bicep", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' property value should have 'enablePurgeProtection' property set to true", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true", + "issueType": "IncorrectValue" }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 41, - "fileName": "positive4.json" + "line": 39, + "filename": "positive2.json", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' property value should have 'enablePurgeProtection' property set to true", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true", + "issueType": "IncorrectValue" }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 23, - "fileName": "positive5.json" + "line": 5, + "filename": "positive3.bicep", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "resources.name={{keyVaultInstance}}.properties", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 23, - "fileName": "positive5.json" + "line": 17, + "filename": "positive3.json", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "properties.template.resources.name={{keyVaultInstance}}.properties", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 5, - "fileName": "positive1.bicep" + "line": 27, + "filename": "positive4.bicep", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' property value should have 'enablePurgeProtection' property set to true", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true", + "issueType": "IncorrectValue" }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 27, - "fileName": "positive2.bicep" + "line": 41, + "filename": "positive4.json", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "properties.template.resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' property value should have 'enablePurgeProtection' property set to true", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true", + "issueType": "IncorrectValue" }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 5, - "fileName": "positive3.bicep" + "line": 18, + "filename": "positive5.bicep", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "[parameters('vaults_pgs_bot_prod_name')]", + "searchKey": "resources.name={{[parameters('vaults_pgs_bot_prod_name')]}}.properties", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 27, - "fileName": "positive4.bicep" + "line": 18, + "filename": "positive5.bicep", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "[parameters('vaults_pgs_bot_prod_name')]", + "searchKey": "resources.name={{[parameters('vaults_pgs_bot_prod_name')]}}.properties", + "searchValue": "enableSoftDelete", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enableSoftDelete' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enableSoftDelete' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 18, - "fileName": "positive5.bicep" + "line": 23, + "filename": "positive5.json", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "[parameters('vaults_pgs_bot_prod_name')]", + "searchKey": "resources.name={{[parameters('vaults_pgs_bot_prod_name')]}}.properties", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 18, - "fileName": "positive5.bicep" + "line": 23, + "filename": "positive5.json", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "[parameters('vaults_pgs_bot_prod_name')]", + "searchKey": "resources.name={{[parameters('vaults_pgs_bot_prod_name')]}}.properties", + "searchValue": "enableSoftDelete", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enableSoftDelete' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enableSoftDelete' property defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/azureResourceManager/log_profile_incorrect_category/test/positive_expected_result.json b/assets/queries/azureResourceManager/log_profile_incorrect_category/test/positive_expected_result.json index 5493d0ff29d..5b9fbfeecd6 100644 --- a/assets/queries/azureResourceManager/log_profile_incorrect_category/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/log_profile_incorrect_category/test/positive_expected_result.json @@ -2,25 +2,53 @@ { "queryName": "Log Profile Incorrect Category", "severity": "LOW", - "line": 22, - "fileName": "positive1.json" + "line": 9, + "filename": "positive1.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name={{string}}.properties.categories", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have categories[%!d(string=property value)] %!s(int=0) set to 'Write', 'Delete' or 'Action'", + "actualValue": "resource with type 'microsoft.insights/logprofiles' has categories[0] set to 'Writ'", + "issueType": "IncorrectValue" }, { "queryName": "Log Profile Incorrect Category", "severity": "LOW", - "line": 24, - "fileName": "positive2.json" + "line": 22, + "filename": "positive1.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name={{string}}.properties.categories", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have categories[%!d(string=property value)] %!s(int=0) set to 'Write', 'Delete' or 'Action'", + "actualValue": "resource with type 'microsoft.insights/logprofiles' has categories[0] set to 'Writ'", + "issueType": "IncorrectValue" }, { "queryName": "Log Profile Incorrect Category", "severity": "LOW", "line": 9, - "fileName": "positive1.bicep" + "filename": "positive2.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name={{string}}.properties.categories", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have categories[%!d(string=property value)] %!s(int=0) set to 'Write', 'Delete' or 'Action'", + "actualValue": "resource with type 'microsoft.insights/logprofiles' has categories[0] set to 'Writ'", + "issueType": "IncorrectValue" }, { "queryName": "Log Profile Incorrect Category", "severity": "LOW", - "line": 9, - "fileName": "positive2.bicep" + "line": 24, + "filename": "positive2.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "properties.template.resources.name={{string}}.properties.categories", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have categories[%!d(string=property value)] %!s(int=0) set to 'Write', 'Delete' or 'Action'", + "actualValue": "resource with type 'microsoft.insights/logprofiles' has categories[0] set to 'Writ'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/test/positive_expected_result.json index a2a485c0bac..65b8b2908cf 100644 --- a/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/test/positive_expected_result.json @@ -2,49 +2,105 @@ { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", - "line": 16, - "fileName": "positive1.json" + "line": 6, + "filename": "positive1.bicep", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "resources.name={{server}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute" }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", - "line": 18, - "fileName": "positive2.json" + "line": 16, + "filename": "positive1.json", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "resources.name={{server}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute" }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", - "line": 18, - "fileName": "positive3.json" + "line": 8, + "filename": "positive2.bicep", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "resources.name={{server}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'", + "issueType": "IncorrectValue" }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", - "line": 20, - "fileName": "positive4.json" + "line": 18, + "filename": "positive2.json", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "resources.name={{server}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'", + "issueType": "IncorrectValue" }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.bicep" + "filename": "positive3.bicep", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "resources.name={{server}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute" }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", - "line": 8, - "fileName": "positive2.bicep" + "line": 18, + "filename": "positive3.json", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "properties.template.resources.name={{server}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute" }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive3.bicep" + "line": 8, + "filename": "positive4.bicep", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "resources.name={{server}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'", + "issueType": "IncorrectValue" }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", - "line": 8, - "fileName": "positive4.bicep" + "line": 20, + "filename": "positive4.json", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "properties.template.resources.name={{server}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/test/positive_expected_result.json b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/test/positive_expected_result.json index 81f2c0350d3..a10c9db24a6 100644 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/test/positive_expected_result.json @@ -2,73 +2,157 @@ { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 19, - "fileName": "positive1.json" + "line": 9, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 13, - "fileName": "positive2.json" + "line": 19, + "filename": "positive1.json", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 20, - "fileName": "positive3.json" + "line": 3, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 21, - "fileName": "positive4.json" + "line": 13, + "filename": "positive2.json", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 15, - "fileName": "positive5.json" + "line": 10, + "filename": "positive3.bicep", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' should restrict access to RDP", + "actualValue": "resource with type 'securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 22, - "fileName": "positive6.json" + "line": 20, + "filename": "positive3.json", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' should restrict access to RDP", + "actualValue": "resource with type 'securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", "line": 9, - "fileName": "positive1.bicep" + "filename": "positive4.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 3, - "fileName": "positive2.bicep" + "line": 21, + "filename": "positive4.json", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "properties.template.resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 10, - "fileName": "positive3.bicep" + "line": 3, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 9, - "fileName": "positive4.bicep" + "line": 15, + "filename": "positive5.json", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 3, - "fileName": "positive5.bicep" + "line": 10, + "filename": "positive6.bicep", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' should restrict access to RDP", + "actualValue": "resource with type 'securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 10, - "fileName": "positive6.bicep" + "line": 22, + "filename": "positive6.json", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' should restrict access to RDP", + "actualValue": "resource with type 'securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json index f4b05c4f8ac..ff5edf09279 100644 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -2,79 +2,170 @@ { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 19, - "fileName": "positive1.json" + "line": 9, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 13, - "fileName": "positive2.json" + "line": 19, + "filename": "positive1.json", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 20, - "fileName": "positive3.json" + "line": 3, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 21, - "fileName": "positive4.json" + "line": 13, + "filename": "positive2.json", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 15, - "fileName": "positive5.json" + "line": 10, + "filename": "positive3.bicep", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' restricts access to SSH", + "actualValue": "resource with type 'securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 22, - "fileName": "positive6.json" + "line": 20, + "filename": "positive3.json", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' restricts access to SSH", + "actualValue": "resource with type 'securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 22, - "fileName": "positive7.json" + "line": 9, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 9, - "fileName": "positive1.bicep" + "line": 21, + "filename": "positive4.json", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "properties.template.resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.bicep" + "filename": "positive5.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 10, - "fileName": "positive3.bicep" + "line": 15, + "filename": "positive5.json", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 9, - "fileName": "positive4.bicep" + "line": 10, + "filename": "positive6.bicep", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' restricts access to SSH", + "actualValue": "resource with type 'securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 3, - "fileName": "positive5.bicep" + "line": 22, + "filename": "positive6.json", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' restricts access to SSH", + "actualValue": "resource with type 'securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue" }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 10, - "fileName": "positive6.bicep" + "line": 22, + "filename": "positive7.json", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' restricts access to SSH", + "actualValue": "resource with type 'securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/test/positive_expected_result.json b/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/test/positive_expected_result.json index 05b67ec86dd..a943a8a9840 100644 --- a/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/test/positive_expected_result.json @@ -2,25 +2,53 @@ { "queryName": "Phone Number Not Set For Security Contacts", "severity": "LOW", - "line": 13, - "fileName": "positive1.json" + "line": 3, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'phone' property defined", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'phone' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Phone Number Not Set For Security Contacts", "severity": "LOW", - "line": 15, - "fileName": "positive2.json" + "line": 13, + "filename": "positive1.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'phone' property defined", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'phone' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Phone Number Not Set For Security Contacts", "severity": "LOW", "line": 3, - "fileName": "positive1.bicep" + "filename": "positive2.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'phone' property defined", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'phone' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Phone Number Not Set For Security Contacts", "severity": "LOW", - "line": 3, - "fileName": "positive2.bicep" + "line": 15, + "filename": "positive2.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "properties.template.resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'phone' property defined", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'phone' property defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/test/positive_expected_result.json index b6417cef88c..ee61c504472 100644 --- a/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/test/positive_expected_result.json @@ -2,73 +2,157 @@ { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 45, - "fileName": "positive1.json" + "line": 36, + "filename": "positive1.bicep", + "resourceType": "configurations", + "resourceName": "connection_throttling", + "searchKey": "resources.resources.name=connection_throttling.properties.value", + "searchValue": "", + "expectedValue": "resource 'property value' should have an 'auditingsettings' servers1 resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive2.json" + "line": 45, + "filename": "positive1.json", + "resourceType": "configurations", + "resourceName": "connection_throttling", + "searchKey": "resources.resources.name=connection_throttling.properties.value", + "searchValue": "", + "expectedValue": "resource 'property value' should have an 'auditingsettings' servers1 resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive3.json" + "line": 2, + "filename": "positive2.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 47, - "fileName": "positive4.json" + "line": 9, + "filename": "positive2.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive5.json" + "line": 2, + "filename": "positive3.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive6.json" + "line": 9, + "filename": "positive3.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", "line": 36, - "fileName": "positive1.bicep" + "filename": "positive4.bicep", + "resourceType": "configurations", + "resourceName": "connection_throttling", + "searchKey": "resources.resources.name=connection_throttling.properties.value", + "searchValue": "", + "expectedValue": "resource 'property value' should have an 'auditingsettings' servers1 resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 2, - "fileName": "positive2.bicep" + "line": 47, + "filename": "positive4.json", + "resourceType": "configurations", + "resourceName": "connection_throttling", + "searchKey": "properties.template.resources.resources.name=connection_throttling.properties.value", + "searchValue": "", + "expectedValue": "resource 'property value' should have an 'auditingsettings' servers1 resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", "line": 2, - "fileName": "positive3.bicep" + "filename": "positive5.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 36, - "fileName": "positive4.bicep" + "line": 11, + "filename": "positive5.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "properties.template.resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", "line": 2, - "fileName": "positive5.bicep" + "filename": "positive6.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 2, - "fileName": "positive6.bicep" + "line": 11, + "filename": "positive6.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "properties.template.resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/test/positive_expected_result.json index 1cc3d9d0314..977c3e1d2ed 100644 --- a/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/test/positive_expected_result.json @@ -2,97 +2,209 @@ { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 43, - "fileName": "positive1.json" + "line": 40, + "filename": "positive1.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_checkpoints", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 45, - "fileName": "positive2.json" + "line": 43, + "filename": "positive1.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_checkpoints", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 44, - "fileName": "positive3.json" + "line": 33, + "filename": "positive2.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_checkpoints.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 43, - "fileName": "positive4.json" + "line": 45, + "filename": "positive2.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_checkpoints.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 45, - "fileName": "positive5.json" + "line": 32, + "filename": "positive3.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 47, - "fileName": "positive6.json" + "line": 44, + "filename": "positive3.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 46, - "fileName": "positive7.json" + "line": 31, + "filename": "positive4.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property set to 'off'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 45, - "fileName": "positive8.json" + "line": 43, + "filename": "positive4.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property set to 'off'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", "line": 40, - "fileName": "positive1.bicep" + "filename": "positive5.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_checkpoints", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 33, - "fileName": "positive2.bicep" + "line": 45, + "filename": "positive5.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "properties.template.resources.name={{MyDBServer1}}.resources.name=log_checkpoints", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 32, - "fileName": "positive3.bicep" + "line": 33, + "filename": "positive6.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_checkpoints.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 31, - "fileName": "positive4.bicep" + "line": 47, + "filename": "positive6.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "properties.template.resources.name={{MyDBServer2}}.resources.name=log_checkpoints.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 40, - "fileName": "positive5.bicep" + "line": 32, + "filename": "positive7.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 33, - "fileName": "positive6.bicep" + "line": 46, + "filename": "positive7.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "properties.template.resources.name={{MyDBServer/log_checkpoints}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 32, - "fileName": "positive7.bicep" + "line": 31, + "filename": "positive8.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property set to 'off'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 31, - "fileName": "positive8.bicep" + "line": 45, + "filename": "positive8.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "properties.template.resources.name={{MyDBServer/log_checkpoints}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property set to 'off'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/test/positive_expected_result.json index 20ea5616ff9..12942e62fca 100644 --- a/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/test/positive_expected_result.json @@ -2,97 +2,209 @@ { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 40, - "fileName": "positive1.json" + "line": 31, + "filename": "positive1.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_connections", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 45, - "fileName": "positive2.json" + "line": 40, + "filename": "positive1.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_connections", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 44, - "fileName": "positive3.json" + "line": 33, + "filename": "positive2.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_connections.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 43, - "fileName": "positive4.json" + "line": 45, + "filename": "positive2.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_connections.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 42, - "fileName": "positive5.json" + "line": 32, + "filename": "positive3.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 47, - "fileName": "positive6.json" + "line": 44, + "filename": "positive3.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 46, - "fileName": "positive7.json" + "line": 31, + "filename": "positive4.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 45, - "fileName": "positive8.json" + "line": 43, + "filename": "positive4.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", "line": 31, - "fileName": "positive1.bicep" + "filename": "positive5.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_connections", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 33, - "fileName": "positive2.bicep" + "line": 42, + "filename": "positive5.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "properties.template.resources.name={{MyDBServer1}}.resources.name=log_connections", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 32, - "fileName": "positive3.bicep" + "line": 33, + "filename": "positive6.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_connections.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 31, - "fileName": "positive4.bicep" + "line": 47, + "filename": "positive6.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "properties.template.resources.name={{MyDBServer2}}.resources.name=log_connections.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 31, - "fileName": "positive5.bicep" + "line": 32, + "filename": "positive7.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 33, - "fileName": "positive6.bicep" + "line": 46, + "filename": "positive7.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "properties.template.resources.name={{MyDBServer/log_connections}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 32, - "fileName": "positive7.bicep" + "line": 31, + "filename": "positive8.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 31, - "fileName": "positive8.bicep" + "line": 45, + "filename": "positive8.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "properties.template.resources.name={{MyDBServer/log_connections}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/test/positive_expected_result.json index 55b0b39ad44..ca808439ee5 100644 --- a/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/test/positive_expected_result.json @@ -2,49 +2,105 @@ { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 14, - "fileName": "positive1.json" + "line": 13, + "filename": "positive1.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "resources.name={{MyDBServer}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property set to 'Enabled'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 13, - "fileName": "positive2.json" + "line": 14, + "filename": "positive1.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "resources.name={{MyDBServer}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property set to 'Enabled'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 16, - "fileName": "positive3.json" + "line": 12, + "filename": "positive2.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "resources.name={{MyDBServer}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive4.json" + "line": 13, + "filename": "positive2.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "resources.name={{MyDBServer}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", "line": 13, - "fileName": "positive1.bicep" + "filename": "positive3.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "resources.name={{MyDBServer}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property set to 'Enabled'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 12, - "fileName": "positive2.bicep" + "line": 16, + "filename": "positive3.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "properties.template.resources.name={{MyDBServer}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property set to 'Enabled'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 13, - "fileName": "positive3.bicep" + "line": 12, + "filename": "positive4.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "resources.name={{MyDBServer}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute" }, { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 12, - "fileName": "positive4.bicep" + "line": 15, + "filename": "positive4.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "properties.template.resources.name={{MyDBServer}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/test/positive_expected_result.json b/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/test/positive_expected_result.json index 494dc192beb..c26cb5e96e0 100644 --- a/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/test/positive_expected_result.json @@ -2,49 +2,105 @@ { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", - "line": 18, - "fileName": "positive1.json" + "line": 8, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue" }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", "line": 18, - "fileName": "positive2.json" + "filename": "positive1.json", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue" }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", - "line": 20, - "fileName": "positive3.json" + "line": 8, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue" }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", - "line": 20, - "fileName": "positive4.json" + "line": 18, + "filename": "positive2.json", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue" }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", "line": 8, - "fileName": "positive1.bicep" + "filename": "positive3.bicep", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue" }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", - "line": 8, - "fileName": "positive2.bicep" + "line": 20, + "filename": "positive3.json", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "properties.template.resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue" }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", "line": 8, - "fileName": "positive3.bicep" + "filename": "positive4.bicep", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue" }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", - "line": 8, - "fileName": "positive4.bicep" + "line": 20, + "filename": "positive4.json", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "properties.template.resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/secret_without_expiration_date/test/positive_expected_result.json b/assets/queries/azureResourceManager/secret_without_expiration_date/test/positive_expected_result.json index 07b856517d0..d1e6eac5e0f 100644 --- a/assets/queries/azureResourceManager/secret_without_expiration_date/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/secret_without_expiration_date/test/positive_expected_result.json @@ -2,49 +2,105 @@ { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 49, - "filename": "positive1.json" + "line": 33, + "filename": "positive1.bicep", + "resourceType": "secrets", + "resourceName": "secretid1", + "searchKey": "resources.resources.name={{secretid1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 54, - "filename": "positive2.json" + "line": 49, + "filename": "positive1.json", + "resourceType": "Microsoft.KeyVault/vaults/secrets", + "resourceName": "keyVault1/secretid1", + "searchKey": "resources.name={{keyVault1/secretid1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 51, - "filename": "positive3.json" + "line": 35, + "filename": "positive2.bicep", + "resourceType": "secrets", + "resourceName": "keyVaultSecret1", + "searchKey": "resources.resources.name={{keyVaultSecret1}}.properties.attributes", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 56, - "filename": "positive4.json" + "line": 54, + "filename": "positive2.json", + "resourceType": "secrets", + "resourceName": "keyVaultSecret1", + "searchKey": "resources.resources.name={{keyVaultSecret1}}.properties.attributes", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", "line": 33, - "filename": "positive1.bicep" + "filename": "positive3.bicep", + "resourceType": "secrets", + "resourceName": "secretid1", + "searchKey": "resources.resources.name={{secretid1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 35, - "filename": "positive2.bicep" + "line": 51, + "filename": "positive3.json", + "resourceType": "Microsoft.KeyVault/vaults/secrets", + "resourceName": "keyVault1/secretid1", + "searchKey": "properties.template.resources.name={{keyVault1/secretid1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 33, - "filename": "positive3.bicep" + "line": 35, + "filename": "positive4.bicep", + "resourceType": "secrets", + "resourceName": "keyVaultSecret1", + "searchKey": "resources.resources.name={{keyVaultSecret1}}.properties.attributes", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 35, - "filename": "positive4.bicep" + "line": 56, + "filename": "positive4.json", + "resourceType": "secrets", + "resourceName": "keyVaultSecret1", + "searchKey": "properties.template.resources.resources.name={{keyVaultSecret1}}.properties.attributes", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/sql_alert_policy_without_emails/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_alert_policy_without_emails/test/positive_expected_result.json index 203f8fff574..942df5b45d3 100644 --- a/assets/queries/azureResourceManager/sql_alert_policy_without_emails/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_alert_policy_without_emails/test/positive_expected_result.json @@ -2,73 +2,157 @@ { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 46, - "filename": "positive1.json" + "line": 31, + "filename": "positive1.bicep", + "resourceType": "securityAlertPolicies", + "resourceName": "securityPolicy1", + "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined", + "issueType": "MissingAttribute" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 48, - "filename": "positive2.json" + "line": 46, + "filename": "positive1.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", + "searchKey": "resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined", + "issueType": "MissingAttribute" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 48, - "filename": "positive3.json" + "line": 33, + "filename": "positive2.bicep", + "resourceType": "securityAlertPolicies", + "resourceName": "securityPolicy1", + "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", "line": 48, - "filename": "positive4.json" + "filename": "positive2.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", + "searchKey": "resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 50, - "filename": "positive5.json" + "line": 33, + "filename": "positive3.bicep", + "resourceType": "securityAlertPolicies", + "resourceName": "securityPolicy1", + "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 50, - "filename": "positive6.json" + "line": 48, + "filename": "positive3.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", + "searchKey": "resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", "line": 31, - "filename": "positive1.bicep" + "filename": "positive4.bicep", + "resourceType": "securityAlertPolicies", + "resourceName": "securityPolicy1", + "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined", + "issueType": "MissingAttribute" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 33, - "filename": "positive2.bicep" + "line": 48, + "filename": "positive4.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", + "searchKey": "properties.template.resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined", + "issueType": "MissingAttribute" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", "line": 33, - "filename": "positive3.bicep" + "filename": "positive5.bicep", + "resourceType": "securityAlertPolicies", + "resourceName": "securityPolicy1", + "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 31, - "filename": "positive4.bicep" + "line": 50, + "filename": "positive5.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", + "searchKey": "properties.template.resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", "line": 33, - "filename": "positive5.bicep" + "filename": "positive6.bicep", + "resourceType": "securityAlertPolicies", + "resourceName": "securityPolicy1", + "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue" }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 33, - "filename": "positive6.bicep" + "line": 50, + "filename": "positive6.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", + "searchKey": "properties.template.resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/test/positive_expected_result.json index 0b8fdaabb48..f7c1a361ed3 100644 --- a/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/test/positive_expected_result.json @@ -2,49 +2,105 @@ { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 31, - "filename": "positive1.json" + "line": 18, + "filename": "positive1.bicep", + "resourceType": "firewallRules", + "resourceName": "AllowAllWindowsAzureIps", + "searchKey": "resources.resources.name={{AllowAllWindowsAzureIps}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'", + "issueType": "IncorrectValue" }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 14, - "filename": "positive2.json" + "line": 31, + "filename": "positive1.json", + "resourceType": "firewallRules", + "resourceName": "AllowAllWindowsAzureIps", + "searchKey": "resources.resources.name={{AllowAllWindowsAzureIps}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'", + "issueType": "IncorrectValue" }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 33, - "filename": "positive3.json" + "line": 4, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Sql/servers/firewallRules", + "resourceName": "sample/firewall", + "searchKey": "resources.name={{sample/firewall}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 16, - "filename": "positive4.json" + "line": 14, + "filename": "positive2.json", + "resourceType": "Microsoft.Sql/servers/firewallRules", + "resourceName": "sample/firewall", + "searchKey": "resources.name={{sample/firewall}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", "line": 18, - "filename": "positive1.bicep" + "filename": "positive3.bicep", + "resourceType": "firewallRules", + "resourceName": "AllowAllWindowsAzureIps", + "searchKey": "resources.resources.name={{AllowAllWindowsAzureIps}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'", + "issueType": "IncorrectValue" }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 4, - "filename": "positive2.bicep" + "line": 33, + "filename": "positive3.json", + "resourceType": "firewallRules", + "resourceName": "AllowAllWindowsAzureIps", + "searchKey": "properties.template.resources.resources.name={{AllowAllWindowsAzureIps}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'", + "issueType": "IncorrectValue" }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 18, - "filename": "positive3.bicep" + "line": 4, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Sql/servers/firewallRules", + "resourceName": "sample/firewall", + "searchKey": "resources.name={{sample/firewall}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 4, - "filename": "positive4.bicep" + "line": 16, + "filename": "positive4.json", + "resourceType": "Microsoft.Sql/servers/firewallRules", + "resourceName": "sample/firewall", + "searchKey": "properties.template.resources.name={{sample/firewall}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test/positive_expected_result.json index 40352de71bc..1af4cf6eb5b 100644 --- a/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test/positive_expected_result.json @@ -2,97 +2,209 @@ { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 14, - "filename": "positive1.json" + "line": 4, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "resources.name={{sample/databases/default}}.properties.disabledAlerts", + "searchValue": "", + "expectedValue": "'resources.name=sample/databases/default.disabledAlerts' should be empty", + "actualValue": "'resources.name=sample/databases/default.disabledAlerts' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 16, - "filename": "positive2.json" + "line": 14, + "filename": "positive1.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "resources.name={{sample/databases/default}}.properties.disabledAlerts", + "searchValue": "", + "expectedValue": "'resources.name=sample/databases/default.disabledAlerts' should be empty", + "actualValue": "'resources.name=sample/databases/default.disabledAlerts' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 17, - "filename": "positive3.json" + "line": 4, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "resources.name={{sample/databases/default}}.properties.disabledAlerts", + "searchValue": "", + "expectedValue": "'resources.name=sample/databases/default.disabledAlerts' should be empty", + "actualValue": "'resources.name=sample/databases/default.disabledAlerts' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 19, - "filename": "positive4.json" + "line": 16, + "filename": "positive2.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "properties.template.resources.name={{sample/databases/default}}.properties.disabledAlerts", + "searchValue": "", + "expectedValue": "'properties.template.resources.name=sample/databases/default.disabledAlerts' should be empty", + "actualValue": "'properties.template.resources.name=sample/databases/default.disabledAlerts' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 12, - "filename": "positive5.json" + "line": 7, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "resources.name={{sample/databases/default}}.properties", + "searchValue": "", + "expectedValue": "'resources.name=sample/databases/default.state' should be enabled", + "actualValue": "'resources.name=sample/databases/default.state' is not enabled", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", "line": 17, - "filename": "positive6.json" + "filename": "positive3.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "resources.name={{sample/databases/default}}.properties", + "searchValue": "", + "expectedValue": "'resources.name=sample/databases/default.state' should be enabled", + "actualValue": "'resources.name=sample/databases/default.state' is not enabled", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 23, - "filename": "positive7.json" + "line": 7, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "resources.name={{sample/databases/default}}.properties", + "searchValue": "", + "expectedValue": "'resources.name=sample/databases/default.state' should be enabled", + "actualValue": "'resources.name=sample/databases/default.state' is not enabled", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 13, - "filename": "positive8.json" + "line": 19, + "filename": "positive4.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "properties.template.resources.name={{sample/databases/default}}.properties", + "searchValue": "", + "expectedValue": "'properties.template.resources.name=sample/databases/default.state' should be enabled", + "actualValue": "'properties.template.resources.name=sample/databases/default.state' is not enabled", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 4, - "filename": "positive1.bicep" + "line": 1, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Sql/servers/databases", + "resourceName": "sample/default", + "searchKey": "resources.name={{sample/default}}", + "searchValue": "", + "expectedValue": "Security alert policy should be defined and enabled", + "actualValue": "Security alert policy is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 4, - "filename": "positive2.bicep" + "line": 12, + "filename": "positive5.json", + "resourceType": "Microsoft.Sql/servers/databases", + "resourceName": "sample/default", + "searchKey": "properties.template.resources.name={{sample/default}}", + "searchValue": "", + "expectedValue": "Security alert policy should be defined and enabled", + "actualValue": "Security alert policy is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive3.bicep" + "line": 4, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Sql/servers/securityAlertPolicies", + "resourceName": "sampleServer/default", + "searchKey": "resources.name={{sampleServer/default}}.properties.disabledAlerts", + "searchValue": "", + "expectedValue": "'resources.name=sampleServer/default.disabledAlerts' should be empty", + "actualValue": "'resources.name=sampleServer/default.disabledAlerts' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive4.bicep" + "line": 17, + "filename": "positive6.json", + "resourceType": "Microsoft.Sql/servers/securityAlertPolicies", + "resourceName": "sampleServer/default", + "searchKey": "resources.name={{sampleServer/default}}.properties.disabledAlerts", + "searchValue": "", + "expectedValue": "'resources.name=sampleServer/default.disabledAlerts' should be empty", + "actualValue": "'resources.name=sampleServer/default.disabledAlerts' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive5.bicep" + "line": 8, + "filename": "positive7.bicep", + "resourceType": "Microsoft.Sql/servers/securityAlertPolicies", + "resourceName": "sampleServer/default", + "searchKey": "resources.name={{sampleServer/default}}.properties", + "searchValue": "", + "expectedValue": "'resources.name=sampleServer/default.state' should be enabled", + "actualValue": "'resources.name=sampleServer/default.state' is not enabled", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 4, - "filename": "positive6.bicep" + "line": 23, + "filename": "positive7.json", + "resourceType": "Microsoft.Sql/servers/securityAlertPolicies", + "resourceName": "sampleServer/default", + "searchKey": "resources.name={{sampleServer/default}}.properties", + "searchValue": "", + "expectedValue": "'resources.name=sampleServer/default.state' should be enabled", + "actualValue": "'resources.name=sampleServer/default.state' is not enabled", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive7.bicep" + "line": 1, + "filename": "positive8.bicep", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sample", + "searchKey": "resources.name={{sample}}", + "searchValue": "", + "expectedValue": "Security alert policy should be defined and enabled", + "actualValue": "Security alert policy is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive8.bicep" + "line": 13, + "filename": "positive8.json", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sample", + "searchKey": "resources.name={{sample}}", + "searchValue": "", + "expectedValue": "Security alert policy should be defined and enabled", + "actualValue": "Security alert policy is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/test/positive_expected_result.json index a3671a1324c..7a54722eb35 100644 --- a/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/test/positive_expected_result.json @@ -2,85 +2,183 @@ { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 48, - "filename": "positive1.json" + "line": 36, + "filename": "positive1.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.resources.name={{default}}.properties.retentionDays", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' property value is 50", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 43, - "filename": "positive2.json" + "line": 48, + "filename": "positive1.json", + "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", + "resourceName": "sqlServer1/sqlDatabase1/default", + "searchKey": "resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties.retentionDays", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' property value is 50", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 50, - "filename": "positive3.json" + "line": 31, + "filename": "positive2.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.resources.name={{default}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 45, - "filename": "positive4.json" + "line": 43, + "filename": "positive2.json", + "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", + "resourceName": "sqlServer1/sqlDatabase1/default", + "searchKey": "resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 32, - "filename": "positive5.json" + "line": 36, + "filename": "positive3.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.resources.name={{default}}.properties.retentionDays", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' property value is 50", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 29, - "filename": "positive6.json" + "line": 50, + "filename": "positive3.json", + "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", + "resourceName": "sqlServer1/sqlDatabase1/default", + "searchKey": "properties.template.resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties.retentionDays", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' property value is 50", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 40, - "filename": "positive7.json" + "line": 31, + "filename": "positive4.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.resources.name={{default}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 36, - "filename": "positive1.bicep" + "line": 45, + "filename": "positive4.json", + "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", + "resourceName": "sqlServer1/sqlDatabase1/default", + "searchKey": "properties.template.resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 31, - "filename": "positive2.bicep" + "line": 19, + "filename": "positive5.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.name={{default}}.properties.retentionDays", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' property value is 89", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 36, - "filename": "positive3.bicep" + "line": 32, + "filename": "positive5.json", + "resourceType": "Microsoft.Sql/servers/auditingSettings", + "resourceName": "sqlServer1/default", + "searchKey": "resources.name={{sqlServer1/default}}.properties.retentionDays", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' property value is 89", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 31, - "filename": "positive4.bicep" + "line": 16, + "filename": "positive6.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.name={{default}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 19, - "filename": "positive5.bicep" + "line": 29, + "filename": "positive6.json", + "resourceType": "Microsoft.Sql/servers/auditingSettings", + "resourceName": "[format('{0}/{1}', 'sqlServer1', 'default')]", + "searchKey": "resources.name={{[format('{0}/{1}', 'sqlServer1', 'default')]}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 16, - "filename": "positive6.bicep" + "line": 31, + "filename": "positive7.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.resources.name={{default}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 31, - "filename": "positive7.bicep" + "line": 40, + "filename": "positive7.json", + "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", + "resourceName": "sqlServer1/sqlDatabase1/default", + "searchKey": "resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json index 3c2defc7892..6782965d029 100644 --- a/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json @@ -3,90 +3,195 @@ "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 2, - "filename": "positive1.bicep" + "filename": "positive1.bicep", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 8, - "filename": "positive1.bicep" + "filename": "positive1.bicep", + "resourceType": "databases", + "resourceName": "sqlDatabase1", + "searchKey": "resources.resources.name=sqlDatabase1", + "searchValue": "", + "expectedValue": "resource 'sqlDatabase1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 2, - "filename": "positive2.bicep" + "filename": "positive2.bicep", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 16, - "filename": "positive2.bicep" + "filename": "positive2.bicep", + "resourceType": "databases", + "resourceName": "sqlDatabase1", + "searchKey": "resources.resources.name=sqlDatabase1", + "searchValue": "", + "expectedValue": "resource 'sqlDatabase1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 2, - "filename": "positive3.bicep" + "filename": "positive3.bicep", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 8, - "filename": "positive4.json" + "filename": "positive4.json", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 15, - "filename": "positive4.json" + "filename": "positive4.json", + "resourceType": "Microsoft.Sql/servers/databases", + "resourceName": "sqlServer1/sqlDatabase1", + "searchKey": "resources.name=sqlServer1/sqlDatabase1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1/sqlDatabase1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1/sqlDatabase1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 8, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 15, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "databases", + "resourceName": "sqlDatabase1", + "searchKey": "resources.resources.name=sqlDatabase1", + "searchValue": "", + "expectedValue": "resource 'sqlDatabase1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 8, - "filename": "positive6.json" + "filename": "positive6.json", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 23, - "filename": "positive6.json" + "filename": "positive6.json", + "resourceType": "Microsoft.Sql/servers/databases", + "resourceName": "sqlServer1/sqlDatabase1", + "searchKey": "resources.name=sqlServer1/sqlDatabase1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1/sqlDatabase1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1/sqlDatabase1' is missing an enabled 'auditingsettings' resource", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 8, - "filename": "positive7.json" + "filename": "positive7.json", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 23, - "filename": "positive7.json" + "filename": "positive7.json", + "resourceType": "databases", + "resourceName": "sqlDatabase1", + "searchKey": "resources.resources.name=sqlDatabase1", + "searchValue": "", + "expectedValue": "resource 'sqlDatabase1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 8, - "filename": "positive8.json" + "filename": "positive8.json", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 8, - "filename": "positive9.json" + "filename": "positive9.json", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/azureResourceManager/standard_price_not_selected/test/positive_expected_result.json b/assets/queries/azureResourceManager/standard_price_not_selected/test/positive_expected_result.json index d934e5404b5..6c1acf26ad2 100644 --- a/assets/queries/azureResourceManager/standard_price_not_selected/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/standard_price_not_selected/test/positive_expected_result.json @@ -2,37 +2,79 @@ { "queryName": "Standard Price Is Not Selected", "severity": "LOW", - "line": 27, - "filename": "positive1.json" + "line": 18, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Security/pricings", + "resourceName": "Princing", + "searchKey": "resources.name=Princing.properties.pricingTier", + "searchValue": "", + "expectedValue": "'pricingTier' should be set to standard", + "actualValue": "'pricingTier' property value is set to Free", + "issueType": "IncorrectValue" }, { "queryName": "Standard Price Is Not Selected", "severity": "LOW", - "line": 29, - "filename": "positive2.json" + "line": 27, + "filename": "positive1.json", + "resourceType": "Microsoft.Security/pricings", + "resourceName": "Princing", + "searchKey": "resources.name=Princing.properties.pricingTier", + "searchValue": "", + "expectedValue": "'pricingTier' should be set to standard", + "actualValue": "'pricingTier' property value is set to Free", + "issueType": "IncorrectValue" }, { "queryName": "Standard Price Is Not Selected", "severity": "LOW", - "line": 23, - "filename": "positive3.json" + "line": 18, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Security/pricings", + "resourceName": "Princing", + "searchKey": "resources.name=Princing.properties.pricingTier", + "searchValue": "", + "expectedValue": "'pricingTier' should be set to standard", + "actualValue": "'pricingTier' property value is set to Free", + "issueType": "IncorrectValue" }, { "queryName": "Standard Price Is Not Selected", "severity": "LOW", - "line": 18, - "filename": "positive1.bicep" + "line": 29, + "filename": "positive2.json", + "resourceType": "Microsoft.Security/pricings", + "resourceName": "Princing", + "searchKey": "properties.template.resources.name=Princing.properties.pricingTier", + "searchValue": "", + "expectedValue": "'pricingTier' should be set to standard", + "actualValue": "'pricingTier' property value is set to Free", + "issueType": "IncorrectValue" }, { "queryName": "Standard Price Is Not Selected", "severity": "LOW", - "line": 18, - "filename": "positive2.bicep" + "line": 10, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Security/pricings", + "resourceName": "VirtualMachines", + "searchKey": "resources.name=VirtualMachines.properties.pricingTier", + "searchValue": "", + "expectedValue": "'pricingTier' should be set to standard", + "actualValue": "'pricingTier' parameter default value is set to Free", + "issueType": "IncorrectValue" }, { "queryName": "Standard Price Is Not Selected", "severity": "LOW", - "line": 10, - "filename": "positive3.bicep" + "line": 23, + "filename": "positive3.json", + "resourceType": "Microsoft.Security/pricings", + "resourceName": "VirtualMachines", + "searchKey": "resources.name=VirtualMachines.properties.pricingTier", + "searchValue": "", + "expectedValue": "'pricingTier' should be set to standard", + "actualValue": "'pricingTier' parameter default value is set to Free", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/storage_account_allows_network_default_access/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_account_allows_network_default_access/test/positive_expected_result.json index efe274a3d47..63732bbd2fb 100644 --- a/assets/queries/azureResourceManager/storage_account_allows_network_default_access/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_account_allows_network_default_access/test/positive_expected_result.json @@ -2,73 +2,157 @@ { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 41, - "fileName": "positive1.json" + "line": 19, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[variables('storageAccountName')]", + "searchKey": "resources.name=[variables('storageAccountName')].properties.networkAcls.defaultAction", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'properties.networkAcls.defaultAction' set to 'Deny'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 18, - "fileName": "positive2.json" + "line": 41, + "filename": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[variables('storageAccountName')]", + "searchKey": "resources.name=[variables('storageAccountName')].properties.networkAcls.defaultAction", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'properties.networkAcls.defaultAction' set to 'Deny'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 8, - "fileName": "positive3.json" + "line": 12, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "resources.name=storageaccount1Positive2.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'properties.networkAcls.defaultAction' defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 43, - "fileName": "positive4.json" + "line": 18, + "filename": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "resources.name=storageaccount1Positive2.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'properties.networkAcls.defaultAction' defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 20, - "fileName": "positive5.json" + "line": 1, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name=storageaccount1Positive3.apiVersion=2016-12-01", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion should be newer than 2017 and enable setting networkAcls", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 10, - "fileName": "positive6.json" + "line": 8, + "filename": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name=storageaccount1Positive3.apiVersion=2016-12-01", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion should be newer than 2017 and enable setting networkAcls", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", "line": 19, - "fileName": "positive1.bicep" + "filename": "positive4.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[variables('storageAccountName')]", + "searchKey": "resources.name=[variables('storageAccountName')].properties.networkAcls.defaultAction", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'properties.networkAcls.defaultAction' set to 'Deny'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 12, - "fileName": "positive2.bicep" + "line": 43, + "filename": "positive4.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[variables('storageAccountName')]", + "searchKey": "properties.template.resources.name=[variables('storageAccountName')].properties.networkAcls.defaultAction", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'properties.networkAcls.defaultAction' set to 'Deny'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 1, - "fileName": "positive3.bicep" + "line": 12, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "resources.name=storageaccount1Positive2.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'properties.networkAcls.defaultAction' defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 19, - "fileName": "positive4.bicep" + "line": 20, + "filename": "positive5.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "properties.template.resources.name=storageaccount1Positive2.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'properties.networkAcls.defaultAction' defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 12, - "fileName": "positive5.bicep" + "line": 1, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name=storageaccount1Positive3.apiVersion=2016-12-01", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion should be newer than 2017 and enable setting networkAcls", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 1, - "fileName": "positive6.bicep" + "line": 10, + "filename": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "properties.template.resources.name=storageaccount1Positive3.apiVersion=2016-12-01", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion should be newer than 2017 and enable setting networkAcls", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/test/positive_expected_result.json index a7fe7354ff6..ae99734acb4 100644 --- a/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/test/positive_expected_result.json @@ -2,73 +2,157 @@ { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 19, - "fileName": "positive1.json" + "line": 13, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1", + "searchKey": "resources.name=storageaccount1.properties.supportsHttpsTrafficOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'supportsHttpsTrafficOnly' property set to true", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.json" + "line": 19, + "filename": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1", + "searchKey": "resources.name=storageaccount1.properties.supportsHttpsTrafficOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'supportsHttpsTrafficOnly' property set to true", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 18, - "fileName": "positive3.json" + "line": 2, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "resources.name={{storageaccount1Positive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 21, - "fileName": "positive4.json" + "line": 6, + "filename": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "resources.name={{storageaccount1Positive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 8, - "fileName": "positive5.json" + "line": 12, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name={{storageaccount1Positive3}}properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 20, - "fileName": "positive6.json" + "line": 18, + "filename": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name={{storageaccount1Positive3}}properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", "line": 13, - "fileName": "positive1.bicep" + "filename": "positive4.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1", + "searchKey": "resources.name=storageaccount1.properties.supportsHttpsTrafficOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'supportsHttpsTrafficOnly' property set to true", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 2, - "fileName": "positive2.bicep" + "line": 21, + "filename": "positive4.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1", + "searchKey": "properties.template.resources.name=storageaccount1.properties.supportsHttpsTrafficOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'supportsHttpsTrafficOnly' property set to true", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 12, - "fileName": "positive3.bicep" + "line": 2, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "resources.name={{storageaccount1Positive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 13, - "fileName": "positive4.bicep" + "line": 8, + "filename": "positive5.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "resources.name={{storageaccount1Positive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 2, - "fileName": "positive5.bicep" + "line": 12, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name={{storageaccount1Positive3}}properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 12, - "fileName": "positive6.bicep" + "line": 20, + "filename": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name={{storageaccount1Positive3}}properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json index 8958f4d9404..345c5eb1152 100644 --- a/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json @@ -2,61 +2,131 @@ { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 15, - "fileName": "positive1.json" + "line": 5, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/blobServices/containers", + "resourceName": "blob/container/example", + "searchKey": "resources.name=blob/container/example.properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Container'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 107, - "fileName": "positive2.json" + "line": 15, + "filename": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts/blobServices/containers", + "resourceName": "blob/container/example", + "searchKey": "resources.name=blob/container/example.properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Container'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 50, - "fileName": "positive3.json" + "line": 87, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[parameters('storageAccountName')]", + "searchKey": "resources.name=[parameters('storageAccountName')].resources.name=default.resources.name=container.properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 17, - "fileName": "positive4.json" + "line": 107, + "filename": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts/blobServices", + "resourceName": "[concat(parameters('storageAccountName'), '/default')]", + "searchKey": "resources.name=[concat(parameters('storageAccountName'), '/default')].resources.name=container.properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 109, - "fileName": "positive5.json" + "line": 29, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/blobServices/containers", + "resourceName": "['${parameters('storageAccountName')}/default/${parameters('containerName')}']", + "searchKey": "resources.name=['${parameters('storageAccountName')}/default/${parameters('containerName')}'].properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Blob'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 52, - "fileName": "positive6.json" + "line": 50, + "filename": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[parameters('storageAccountName')]", + "searchKey": "resources.name=[parameters('storageAccountName')].resources.name=[concat('default/', parameters('containerName'))].properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'blobServices/containers' has 'publicAccess' property set to 'Blob'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 96, - "fileName": "positive7.json" + "line": 17, + "filename": "positive4.json", + "resourceType": "Microsoft.Storage/storageAccounts/blobServices/containers", + "resourceName": "blob/container/example", + "searchKey": "properties.template.resources.name=blob/container/example.properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Container'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 5, - "fileName": "positive1.bicep" + "line": 109, + "filename": "positive5.json", + "resourceType": "Microsoft.Storage/storageAccounts/blobServices", + "resourceName": "[concat(parameters('storageAccountName'), '/default')]", + "searchKey": "properties.template.resources.name=[concat(parameters('storageAccountName'), '/default')].resources.name=container.properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 87, - "fileName": "positive2.bicep" + "line": 52, + "filename": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[parameters('storageAccountName')]", + "searchKey": "properties.template.resources.name=[parameters('storageAccountName')].resources.name=[concat('default/', parameters('containerName'))].properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'blobServices/containers' has 'publicAccess' property set to 'Blob'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 29, - "fileName": "positive3.bicep" + "line": 96, + "filename": "positive7.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[parameters('storageAccountName')]", + "searchKey": "resources.name=[parameters('storageAccountName')].resources.name=[concat(parameters('storageAccountName'), '/default')].resources.name=container.properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json index a38a9ae1865..3dcf6994c34 100644 --- a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json @@ -2,223 +2,482 @@ { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 80, - "fileName": "positive1.json" + "line": 7, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 84, - "fileName": "positive1.json" + "line": 11, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method", + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 88, - "fileName": "positive1.json" + "line": 15, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method", + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 77, - "fileName": "positive2.json" + "line": 80, + "filename": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 77, - "fileName": "positive2.json" + "line": 84, + "filename": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method", + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 80, - "fileName": "positive2.json" + "line": 88, + "filename": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method", + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 67, - "fileName": "positive3.json" + "line": 4, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 67, - "fileName": "positive3.json" + "line": 4, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 67, - "fileName": "positive3.json" + "line": 4, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 82, - "fileName": "positive4.json" + "line": 77, + "filename": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 86, - "fileName": "positive4.json" + "line": 77, + "filename": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 90, - "fileName": "positive4.json" + "line": 80, + "filename": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 79, - "fileName": "positive5.json" + "line": 7, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 79, - "fileName": "positive5.json" + "line": 15, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method", + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 82, - "fileName": "positive5.json" + "line": 67, + "filename": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 69, - "fileName": "positive6.json" + "line": 67, + "filename": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 69, - "fileName": "positive6.json" + "line": 67, + "filename": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 69, - "fileName": "positive6.json" + "line": 4, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive1.bicep" + "line": 4, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive1.bicep" + "line": 82, + "filename": "positive4.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.bicep" + "line": 86, + "filename": "positive4.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method", + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 4, - "fileName": "positive2.bicep" + "line": 90, + "filename": "positive4.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method", + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", "line": 4, - "fileName": "positive2.bicep" + "filename": "positive5.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", "line": 4, - "fileName": "positive2.bicep" + "filename": "positive5.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive3.bicep" + "filename": "positive5.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method", + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive3.bicep" + "line": 79, + "filename": "positive5.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 4, - "fileName": "positive4.bicep" + "line": 79, + "filename": "positive5.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 4, - "fileName": "positive4.bicep" + "line": 82, + "filename": "positive5.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", + "issueType": "IncorrectValue" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive5.bicep" + "line": 2, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 4, - "fileName": "positive5.bicep" + "line": 2, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 4, - "fileName": "positive5.bicep" + "line": 2, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 2, - "fileName": "positive6.bicep" + "line": 69, + "filename": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 2, - "fileName": "positive6.bicep" + "line": 69, + "filename": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 2, - "fileName": "positive6.bicep" + "line": 69, + "filename": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", "line": 3, - "fileName": "positive7.bicep" + "filename": "positive7.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", "line": 3, - "fileName": "positive7.bicep" + "filename": "positive7.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method", + "issueType": "MissingAttribute" }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", "line": 3, - "fileName": "positive7.bicep" + "filename": "positive7.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/test/positive_expected_result.json index 273685f7d4b..15646be49ca 100644 --- a/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/test/positive_expected_result.json @@ -2,85 +2,183 @@ { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 21, - "fileName": "positive1.json" + "line": 11, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.json" + "filename": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 23, - "fileName": "positive3.json" + "line": 11, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 23, - "fileName": "positive4.json" + "line": 21, + "filename": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 17, - "fileName": "positive5.json" + "line": 11, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 19, - "fileName": "positive6.json" + "line": 23, + "filename": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "properties.template.resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 18, - "fileName": "positive7.json" + "line": 11, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.bicep" + "line": 23, + "filename": "positive4.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "properties.template.resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.bicep" + "line": 9, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "value.name", + "searchKey": "resources.name=positive5.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "MissingAttribute" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive3.bicep" + "line": 17, + "filename": "positive5.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "value.name", + "searchKey": "resources.name=positive5.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "MissingAttribute" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive4.bicep" + "line": 1, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "value.name", + "searchKey": "resources.name=positive6", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "MissingAttribute" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive5.bicep" + "line": 19, + "filename": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "value.name", + "searchKey": "resources.name=positive6", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "MissingAttribute" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive6.bicep" + "line": 10, + "filename": "positive7.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "value.name", + "searchKey": "resources.name=positive7.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "MissingAttribute" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 10, - "fileName": "positive7.bicep" + "line": 18, + "filename": "positive7.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "value.name", + "searchKey": "resources.name=positive7.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/test/positive_expected_result.json b/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/test/positive_expected_result.json index 3ce6f3b5fcd..c812745a0fa 100644 --- a/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/test/positive_expected_result.json @@ -2,73 +2,157 @@ { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 26, - "fileName": "positive1.json" + "line": 12, + "filename": "positive1.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 25, - "fileName": "positive2.json" + "line": 26, + "filename": "positive1.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 26, - "fileName": "positive2.json" + "line": 11, + "filename": "positive2.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'enabled' property value set to true", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 28, - "fileName": "positive3.json" + "line": 12, + "filename": "positive2.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 27, - "fileName": "positive4.json" + "line": 25, + "filename": "positive2.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'enabled' property value set to true", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 28, - "fileName": "positive4.json" + "line": 26, + "filename": "positive2.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", "line": 12, - "fileName": "positive1.bicep" + "filename": "positive3.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 12, - "fileName": "positive2.bicep" + "line": 28, + "filename": "positive3.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "properties.template.resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", "line": 11, - "fileName": "positive2.bicep" + "filename": "positive4.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'enabled' property value set to true", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", "line": 12, - "fileName": "positive3.bicep" + "filename": "positive4.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 11, - "fileName": "positive4.bicep" + "line": 27, + "filename": "positive4.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "properties.template.resources.name=string.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'enabled' property value set to true", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 12, - "fileName": "positive4.bicep" + "line": 28, + "filename": "positive4.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "properties.template.resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/test/positive_expected_result.json b/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/test/positive_expected_result.json index 559db459cb4..ed40f9ff810 100644 --- a/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/test/positive_expected_result.json @@ -2,145 +2,313 @@ { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 20, - "fileName": "positive1.json" + "line": 10, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 21, - "fileName": "positive1.json" + "line": 11, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 19, - "fileName": "positive2.json" + "line": 20, + "filename": "positive1.json", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 20, - "fileName": "positive2.json" + "line": 21, + "filename": "positive1.json", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 15, - "fileName": "positive3.json" + "line": 9, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 15, - "fileName": "positive4.json" + "line": 10, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 22, - "fileName": "positive5.json" + "line": 19, + "filename": "positive2.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 23, - "fileName": "positive5.json" + "line": 20, + "filename": "positive2.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 21, - "fileName": "positive6.json" + "line": 5, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'retentionPolicy' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 22, - "fileName": "positive6.json" + "line": 15, + "filename": "positive3.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'retentionPolicy' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 17, - "fileName": "positive7.json" + "line": 5, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 17, - "fileName": "positive8.json" + "line": 15, + "filename": "positive4.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", "line": 10, - "fileName": "positive1.bicep" + "filename": "positive5.bicep", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", "line": 11, - "fileName": "positive1.bicep" + "filename": "positive5.bicep", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 10, - "fileName": "positive2.bicep" + "line": 22, + "filename": "positive5.json", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 9, - "fileName": "positive2.bicep" + "line": 23, + "filename": "positive5.json", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 5, - "fileName": "positive3.bicep" + "line": 9, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 5, - "fileName": "positive4.bicep" + "line": 10, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 10, - "fileName": "positive5.bicep" + "line": 21, + "filename": "positive6.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties.retentionPolicy", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 11, - "fileName": "positive5.bicep" + "line": 22, + "filename": "positive6.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 9, - "fileName": "positive6.bicep" + "line": 5, + "filename": "positive7.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'retentionPolicy' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 10, - "fileName": "positive6.bicep" + "line": 17, + "filename": "positive7.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'retentionPolicy' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", "line": 5, - "fileName": "positive7.bicep" + "filename": "positive8.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 5, - "fileName": "positive8.bicep" + "line": 17, + "filename": "positive8.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/test/positive_expected_result.json b/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/test/positive_expected_result.json index 239378fb4dd..8211cb230e0 100644 --- a/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/test/positive_expected_result.json @@ -2,73 +2,157 @@ { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 14, - "filename": "positive1.json" + "line": 6, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "resources.name=App.properties.siteConfig.minTlsVersion", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", + "actualValue": "'minTlsVersion' is not 1.2 or 1.3", + "issueType": "IncorrectValue" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 12, - "filename": "positive2.json" + "line": 14, + "filename": "positive1.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "properties.template.resources.name=App.properties.siteConfig.minTlsVersion", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", + "actualValue": "'minTlsVersion' is not 1.2 or 1.3", + "issueType": "IncorrectValue" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 14, - "filename": "positive3.json" + "line": 4, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "resources.name=App.properties", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be defined", + "actualValue": "'siteConfig.minTlsVersion' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 13, - "filename": "positive4.json" + "line": 12, + "filename": "positive2.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "properties.template.resources.name=App.properties", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be defined", + "actualValue": "'siteConfig.minTlsVersion' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 17, - "filename": "positive5.json" + "line": 6, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "resources.name=App.properties.siteConfig.minTlsVersion", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", + "actualValue": "'minTlsVersion' is not 1.2 or 1.3", + "issueType": "IncorrectValue" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 17, - "filename": "positive6.json" + "line": 14, + "filename": "positive3.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "properties.template.resources.name=App.properties.siteConfig.minTlsVersion", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", + "actualValue": "'minTlsVersion' is not 1.2 or 1.3", + "issueType": "IncorrectValue" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 6, - "filename": "positive1.bicep" + "line": 5, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "resources.name=App.properties.siteConfig", + "searchValue": "", + "expectedValue": "'minTlsVersion' should be defined", + "actualValue": "'minTlsVersion' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 4, - "filename": "positive2.bicep" + "line": 13, + "filename": "positive4.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "properties.template.resources.name=App.properties.siteConfig", + "searchValue": "", + "expectedValue": "'minTlsVersion' should be defined", + "actualValue": "'minTlsVersion' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 6, - "filename": "positive3.bicep" + "line": 11, + "filename": "positive5.bicep", + "resourceType": "config", + "resourceName": "web", + "searchKey": "resources.resources.name=web.properties.minTlsVersion", + "searchValue": "", + "expectedValue": "'minTlsVersion' should be defined with the version '1.2' or higher", + "actualValue": "'minTlsVersion' is defined to '1.1'", + "issueType": "IncorrectValue" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 5, - "filename": "positive4.bicep" + "line": 17, + "filename": "positive5.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "meuAppService", + "searchKey": "resources.name=meuAppService.properties", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be defined", + "actualValue": "'siteConfig.minTlsVersion' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 11, - "filename": "positive5.bicep" + "line": 10, + "filename": "positive6.bicep", + "resourceType": "config", + "resourceName": "web", + "searchKey": "resources.resources.name=web.properties", + "searchValue": "", + "expectedValue": "'minTlsVersion' should be defined with the version '1.2' or higher", + "actualValue": "'minTlsVersion' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 10, - "filename": "positive6.bicep" + "line": 17, + "filename": "positive6.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "meuAppService", + "searchKey": "resources.name=meuAppService.properties", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be defined", + "actualValue": "'siteConfig.minTlsVersion' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json index a4f6d28793d..8d0c4f93526 100644 --- a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json @@ -2,85 +2,183 @@ { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 10, - "fileName": "positive1.json" + "line": 2, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive2", + "searchKey": "resources.name={{webSitePositive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 15, - "fileName": "positive2.json" + "line": 10, + "filename": "positive1.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive2", + "searchKey": "resources.name={{webSitePositive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 15, - "fileName": "positive3.json" + "line": 5, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "issueType": "IncorrectValue" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 12, - "fileName": "positive4.json" + "line": 15, + "filename": "positive2.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "issueType": "IncorrectValue" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 17, - "fileName": "positive5.json" + "line": 5, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 17, - "fileName": "positive6.json" + "line": 15, + "filename": "positive3.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 18, - "fileName": "positive7.json" + "line": 2, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive2", + "searchKey": "resources.name={{webSitePositive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 2, - "fileName": "positive1.bicep" + "line": 12, + "filename": "positive4.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive2", + "searchKey": "properties.template.resources.name={{webSitePositive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", "line": 5, - "fileName": "positive2.bicep" + "filename": "positive5.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "issueType": "IncorrectValue" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 5, - "fileName": "positive3.bicep" + "line": 17, + "filename": "positive5.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "properties.template.resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "issueType": "IncorrectValue" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 2, - "fileName": "positive4.bicep" + "line": 5, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 5, - "fileName": "positive5.bicep" + "line": 17, + "filename": "positive6.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "properties.template.resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", "line": 5, - "fileName": "positive6.bicep" + "filename": "positive7.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive7", + "searchKey": "resources.name={{webSitePositive7}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "issueType": "IncorrectValue" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 5, - "fileName": "positive7.bicep" + "line": 18, + "filename": "positive7.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive7", + "searchKey": "resources.name={{webSitePositive7}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/azureResourceManager/website_not_forcing_https/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_not_forcing_https/test/positive_expected_result.json index 139dfcbc9e3..e76eb5a8f1e 100644 --- a/assets/queries/azureResourceManager/website_not_forcing_https/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_not_forcing_https/test/positive_expected_result.json @@ -2,49 +2,105 @@ { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 15, - "fileName": "positive1.json" + "line": 5, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 17, - "fileName": "positive2.json" + "line": 15, + "filename": "positive1.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 17, - "fileName": "positive3.json" + "line": 7, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.httpsOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 19, - "fileName": "positive4.json" + "line": 17, + "filename": "positive2.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.httpsOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.bicep" + "filename": "positive3.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 7, - "fileName": "positive2.bicep" + "line": 17, + "filename": "positive3.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "properties.template.resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 5, - "fileName": "positive3.bicep" + "line": 7, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.httpsOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 7, - "fileName": "positive4.bicep" + "line": 19, + "filename": "positive4.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "properties.template.resources.name={{webSite}}.properties.httpsOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json index 0c8d1bb5c60..d1578cc4b54 100644 --- a/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json @@ -2,73 +2,157 @@ { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive1.json" + "line": 5, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 17, - "fileName": "positive2.json" + "line": 15, + "filename": "positive1.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 17, - "fileName": "positive3.json" + "line": 7, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.clientCertEnabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 19, - "fileName": "positive4.json" + "line": 17, + "filename": "positive2.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.clientCertEnabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 46, - "fileName": "positive5.json" + "line": 5, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 44, - "fileName": "positive6.json" + "line": 17, + "filename": "positive3.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "properties.template.resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive1.bicep" + "line": 7, + "filename": "positive4.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.clientCertEnabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive2.bicep" + "line": 19, + "filename": "positive4.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "properties.template.resources.name={{webSite}}.properties.clientCertEnabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive3.bicep" + "line": 25, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "[parameters('siteName')]", + "searchKey": "resources.name={{[parameters('siteName')]}}.properties.clientCertEnabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value or 'http20Enabled' field set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' or 'http20Enabled' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive4.bicep" + "line": 46, + "filename": "positive5.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "[parameters('siteName')]", + "searchKey": "resources.name={{[parameters('siteName')]}}.properties.clientCertEnabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value or 'http20Enabled' field set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' or 'http20Enabled' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 25, - "fileName": "positive5.bicep" + "line": 23, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "[parameters('siteName')]", + "searchKey": "resources.name={{[parameters('siteName')]}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 23, - "fileName": "positive6.bicep" + "line": 44, + "filename": "positive6.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "[parameters('siteName')]", + "searchKey": "resources.name={{[parameters('siteName')]}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/website_with_http20enabled_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_with_http20enabled_disabled/test/positive_expected_result.json index d0b031f4309..94a00940568 100644 --- a/assets/queries/azureResourceManager/website_with_http20enabled_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_with_http20enabled_disabled/test/positive_expected_result.json @@ -2,73 +2,157 @@ { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 15, - "fileName": "positive1.json" + "line": 5, + "filename": "positive1.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 19, - "fileName": "positive2.json" + "line": 15, + "filename": "positive1.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 18, - "fileName": "positive3.json" + "line": 9, + "filename": "positive2.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property value set to true in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig", + "issueType": "IncorrectValue" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 17, - "fileName": "positive4.json" + "line": 19, + "filename": "positive2.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property value set to true in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig", + "issueType": "IncorrectValue" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 21, - "fileName": "positive5.json" + "line": 8, + "filename": "positive3.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.siteConfig", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property defined in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig", + "issueType": "MissingAttribute" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 20, - "fileName": "positive6.json" + "line": 18, + "filename": "positive3.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.siteConfig", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property defined in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig", + "issueType": "MissingAttribute" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", "line": 5, - "fileName": "positive1.bicep" + "filename": "positive4.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 9, - "fileName": "positive2.bicep" + "line": 17, + "filename": "positive4.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "properties.template.resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined", + "issueType": "MissingAttribute" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 8, - "fileName": "positive3.bicep" + "line": 9, + "filename": "positive5.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property value set to true in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig", + "issueType": "IncorrectValue" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 5, - "fileName": "positive4.bicep" + "line": 21, + "filename": "positive5.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property value set to true in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig", + "issueType": "IncorrectValue" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 9, - "fileName": "positive5.bicep" + "line": 8, + "filename": "positive6.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.siteConfig", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property defined in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig", + "issueType": "MissingAttribute" }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 8, - "fileName": "positive6.bicep" + "line": 20, + "filename": "positive6.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "properties.template.resources.name={{webSite}}.properties.siteConfig", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property defined in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/buildah/run_using_apt/test/positive_expected_result.json b/assets/queries/buildah/run_using_apt/test/positive_expected_result.json index b170be0f78e..e2601f563c9 100644 --- a/assets/queries/buildah/run_using_apt/test/positive_expected_result.json +++ b/assets/queries/buildah/run_using_apt/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Run Using apt", "severity": "LOW", "line": 3, - "fileName": "positive.sh" + "filename": "positive.sh", + "resourceType": "", + "resourceName": "", + "searchKey": "from[{{fedora}}].{{buildah run ${c} apt install python3-setuptools -y}}", + "searchValue": "", + "expectedValue": "RUN instructions should not use the 'apt' program", + "actualValue": "RUN instruction is invoking the 'apt' program", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json b/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json index d286f9fe022..398e24e3cb2 100644 --- a/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json +++ b/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Run Block Injection", "severity": "HIGH", "line": 10, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{if [ \"${{ github.event.issue.body }}\" ]; then\n if [[ \"${{ github.event.issue.title }}\" =~ ^\\[Auto\\]* ]]; then\n :\n else\n echo \"This issue does not need to generate a markdown file.\" 1>&2\n exit 1;\n fi;\nelse\n echo \"The description of the issue is empty.\" 1>&2\n exit 1;\nfi;\n}}", + "searchValue": "github.event.issue.body", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" }, { "queryName": "Run Block Injection", "severity": "HIGH", "line": 10, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{if [ \"${{ github.event.issue.body }}\" ]; then\n if [[ \"${{ github.event.issue.title }}\" =~ ^\\[Auto\\]* ]]; then\n :\n else\n echo \"This issue does not need to generate a markdown file.\" 1>&2\n exit 1;\n fi;\nelse\n echo \"The description of the issue is empty.\" 1>&2\n exit 1;\nfi;\n}}", + "searchValue": "github.event.issue.title", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" }, { "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{echo \"Pull Request Body: ${{ github.event.pull_request.body }}\"\n}}", + "searchValue": "github.event.pull_request.body", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" }, { "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{echo \"Issue Comment Body: ${{ github.event.comment.body }}\"\n}}", + "searchValue": "github.event.comment.body", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" }, { "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{echo \"Discussion Title: ${{ github.event.discussion.title }}\"\n}}", + "searchValue": "github.event.discussion.title", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" }, { "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{echo \"Discussion Comment Body: ${{ github.event.comment.body }}\"\n}}", + "searchValue": "github.event.comment.body", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" }, { "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "fileName": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{echo \"Author's Name: ${{ github.event.authors.name }}\"\n}}", + "searchValue": "github.*.authors.name", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" }, { "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "fileName": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{echo \"Workflow Run Path: ${{ github.event.workflow.path }}\"\n}}", + "searchValue": "github.event.workflow.path", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json b/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json index cd44b6b0881..044beb409ee 100644 --- a/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json +++ b/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json @@ -1,44 +1,93 @@ [ - { - "queryName": "Script Block Injection", - "severity": "HIGH", - "line": 17, - "fileName": "positive1.yaml" - }, - { - "queryName": "Script Block Injection", - "severity": "HIGH", - "line": 17, - "fileName": "positive2.yaml" - }, - { - "queryName": "Script Block Injection", - "severity": "HIGH", - "line": 17, - "fileName": "positive3.yaml" - }, - { - "queryName": "Script Block Injection", - "severity": "HIGH", - "line": 17, - "fileName": "positive4.yaml" - }, - { - "queryName": "Script Block Injection", - "severity": "HIGH", - "line": 17, - "fileName": "positive5.yaml" - }, - { - "queryName": "Script Block Injection", - "severity": "HIGH", - "line": 17, - "fileName": "positive6.yaml" - }, - { - "queryName": "Script Block Injection", - "severity": "HIGH", - "line": 17, - "fileName": "positive7.yaml" - } + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.issue.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.event.issue.title", + "expectedValue": "Script block does not contain dangerous input controlled by user.", + "actualValue": "Script block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.pull_request.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.event.pull_request.title", + "expectedValue": "Script block does not contain dangerous input controlled by user.", + "actualValue": "Script block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.issue.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.event.issue.title", + "expectedValue": "Script block does not contain dangerous input controlled by user.", + "actualValue": "Script block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.discussion.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.event.discussion.title", + "expectedValue": "Script block does not contain dangerous input controlled by user.", + "actualValue": "Script block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.discussion.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.event.discussion.title", + "expectedValue": "Script block does not contain dangerous input controlled by user.", + "actualValue": "Script block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.workflow.path }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.event.workflow.path", + "expectedValue": "Script block does not contain dangerous input controlled by user.", + "actualValue": "Script block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.authors.name }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.*.authors.name", + "expectedValue": "Script block does not contain dangerous input controlled by user.", + "actualValue": "Script block contains dangerous input controlled by user.", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/test/positive_expected_result.json b/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/test/positive_expected_result.json index 239e93bff3d..b626a5eb747 100644 --- a/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/test/positive_expected_result.json +++ b/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Unpinned Actions Full Length Commit SHA", "severity": "LOW", "line": 12, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "uses={{thollander/actions-comment-pull-request@v2}}", + "searchValue": "", + "expectedValue": "Action pinned to a full length commit SHA.", + "actualValue": "Action is not pinned to a full length commit SHA.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json b/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json index cf333643e72..efd604c5d30 100644 --- a/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json +++ b/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json @@ -1,20 +1,41 @@ [ - { - "queryName": "Unsecured Commands", - "severity": "MEDIUM", - "line": 8, - "fileName": "positive1.yaml" - }, - { - "queryName": "Unsecured Commands", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Unsecured Commands", - "severity": "MEDIUM", - "line": 16, - "fileName": "positive3.yaml" - } + { + "queryName": "Unsecured Commands", + "severity": "MEDIUM", + "line": 8, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "env.actions_allow_unsecure_commands={{true}}", + "searchValue": "", + "expectedValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is not set as true.", + "actualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true.", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unsecured Commands", + "severity": "MEDIUM", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "env.actions_allow_unsecure_commands={{true}}", + "searchValue": "", + "expectedValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is not set as true.", + "actualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true.", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unsecured Commands", + "severity": "MEDIUM", + "line": 16, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "env.actions_allow_unsecure_commands={{true}}", + "searchValue": "", + "expectedValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is not set as true.", + "actualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true.", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/test/positive_expected_result.json index 141986e6d6a..26c18e5fab5 100644 --- a/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "High Access Key Rotation Period", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Config::ConfigRule", + "resourceName": "access-keys-rotated", + "searchKey": "Resources.ConfigRule.Properties.InputParameters.maxAccessKeyAge", + "searchValue": "", + "expectedValue": "Resources.ConfigRule.InputParameters.maxAccessKeyAge should be less or equal to 90 (days)", + "actualValue": "Resources.ConfigRule.InputParameters.maxAccessKeyAge is more than 90 (days).", + "issueType": "IncorrectValue" }, { - "fileName": "positive2.json", "queryName": "High Access Key Rotation Period", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive2.json", + "resourceType": "AWS::Config::ConfigRule", + "resourceName": "access-keys-rotated", + "searchKey": "Resources.ConfigRule.Properties.InputParameters.maxAccessKeyAge", + "searchValue": "", + "expectedValue": "Resources.ConfigRule.InputParameters.maxAccessKeyAge should be less or equal to 90 (days)", + "actualValue": "Resources.ConfigRule.InputParameters.maxAccessKeyAge is more than 90 (days).", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json index 752bfdd1cca..bb64784ba3d 100644 --- a/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "ALB Is Not Integrated With WAF", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer22", + "searchKey": "Resources.MyLoadBalancer22", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer22' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", + "actualValue": "'Resources.MyLoadBalancer22' does not have an 'internal' scheme and a 'WebACLAssociation' associated", + "issueType": "MissingAttribute" }, { - "fileName": "positive2.yaml", "queryName": "ALB Is Not Integrated With WAF", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive2.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "myloadbalancerv2", + "searchKey": "Resources.MyLoadBalancerV2", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancerV2' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", + "actualValue": "'Resources.MyLoadBalancerV2' does not have an 'internal' scheme and a 'WebACLAssociation' associated", + "issueType": "MissingAttribute" }, { - "fileName": "positive3.json", "queryName": "ALB Is Not Integrated With WAF", "severity": "MEDIUM", - "line": 4 + "line": 4, + "filename": "positive3.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer22222222", + "searchKey": "Resources.MyLoadBalancer22222222", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer22222222' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", + "actualValue": "'Resources.MyLoadBalancer22222222' does not have an 'internal' scheme and a 'WebACLAssociation' associated", + "issueType": "MissingAttribute" }, { "queryName": "ALB Is Not Integrated With WAF", "severity": "MEDIUM", "line": 4, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "myloadbalancerv2", + "searchKey": "Resources.MyLoadBalancerV22222", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancerV22222' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", + "actualValue": "'Resources.MyLoadBalancerV22222' does not have an 'internal' scheme and a 'WebACLAssociation' associated", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/alb_listening_on_http/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/alb_listening_on_http/test/positive_expected_result.json index 04e2f4531a9..630bb17e82e 100644 --- a/assets/queries/cloudFormation/aws/alb_listening_on_http/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/alb_listening_on_http/test/positive_expected_result.json @@ -1,32 +1,67 @@ [ { - "fileName": "positive1.yaml", "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", - "line": 25 + "line": 13, + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Listeners.Protocol=HTTP", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Listeners.Protocol' should not equal to 'HTTP'", + "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' equals to 'HTTP'", + "issueType": "IncorrectValue" }, { - "fileName": "positive1.yaml", "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", - "line": 13 + "line": 25, + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::Listener", + "resourceName": "HTTPlistener", + "searchKey": "Resources.HTTPlistener.Properties.Protocol=HTTP", + "searchValue": "", + "expectedValue": "'Resources.HTTPlistener.Protocol' should not equal to 'HTTP'", + "actualValue": "'Resources.HTTPlistener.Protocol' equals to 'HTTP'", + "issueType": "IncorrectValue" }, { - "line": 35, - "fileName": "positive2.json", "queryName": "ALB Listening on HTTP", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 9, + "filename": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Listeners.Protocol=HTTP", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Listeners.Protocol' should not equal to 'HTTP'", + "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' equals to 'HTTP'", + "issueType": "IncorrectValue" }, { - "line": 9, - "fileName": "positive2.json", "queryName": "ALB Listening on HTTP", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 35, + "filename": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancingV2::Listener", + "resourceName": "HTTPlistener", + "searchKey": "Resources.HTTPlistener.Properties.Protocol=HTTP", + "searchValue": "", + "expectedValue": "'Resources.HTTPlistener.Protocol' should not equal to 'HTTP'", + "actualValue": "'Resources.HTTPlistener.Protocol' equals to 'HTTP'", + "issueType": "IncorrectValue" }, { "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", "line": 16, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::Listener", + "resourceName": "HTTPlistener", + "searchKey": "Resources.HTTPlistener.Properties.Protocol=HTTP", + "searchValue": "", + "expectedValue": "'Resources.HTTPlistener.Protocol' should not equal to 'HTTP'", + "actualValue": "'Resources.HTTPlistener.Protocol' equals to 'HTTP'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/test/positive_expected_result.json index 71586537796..ad3e06cf175 100644 --- a/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { - "fileName": "positive1.yaml", "queryName": "Alexa Skill Plaintext Client Secret Exposed", "severity": "MEDIUM", - "line": 17 + "line": 17, + "filename": "positive1.yaml", + "resourceType": "Alexa::ASK::Skill", + "resourceName": "MySkill", + "searchKey": "Resources.MySkill.Properties.AuthenticationConfiguration.ClientSecret", + "searchValue": "", + "expectedValue": "'Resources.MySkill.Properties.ClientSecret' should start with '{{resolve:secretsmanager:' or '{{resolve:ssm-secure:'", + "actualValue": "'Resources.MySkill.Properties.ClientSecret' does not start with '{{resolve:secretsmanager:' or '{{resolve:ssm-secure:'", + "issueType": "IncorrectValue" }, { "queryName": "Alexa Skill Plaintext Client Secret Exposed", "severity": "MEDIUM", "line": 24, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "Alexa::ASK::Skill", + "resourceName": "MySkill", + "searchKey": "Resources.MySkill.Properties.AuthenticationConfiguration.ClientSecret", + "searchValue": "", + "expectedValue": "'Resources.MySkill.Properties.ClientSecret' should start with '{{resolve:secretsmanager:' or '{{resolve:ssm-secure:'", + "actualValue": "'Resources.MySkill.Properties.ClientSecret' does not start with '{{resolve:secretsmanager:' or '{{resolve:ssm-secure:'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json index b6f9e0c14ad..8920107f467 100644 --- a/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", "severity": "CRITICAL", "line": 9, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::DMS::ReplicationInstance", + "resourceName": "ReplicationInstance", + "searchKey": "Resources.ReplicationInstance.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible should be defined to 'false'", + "actualValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible is defined to 'true", + "issueType": "IncorrectValue" }, { "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", "severity": "CRITICAL", "line": 4, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::DMS::ReplicationInstance", + "resourceName": "ReplicationInstance", + "searchKey": "Resources.ReplicationInstance.Properties", + "searchValue": "", + "expectedValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible should be defined to 'false'", + "actualValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", "severity": "CRITICAL", "line": 9, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::DMS::ReplicationInstance", + "resourceName": "ReplicationInstance", + "searchKey": "Resources.ReplicationInstance.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible should be defined to 'false'", + "actualValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible is defined to 'true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json index 23eaadc63ed..28e494cc5cf 100644 --- a/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "AmazonMQ Broker Encryption Disabled", "severity": "HIGH", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker.Properties.EncryptionOptions", + "searchValue": "", + "expectedValue": "Resources.BasicBroker.Properties.EncryptionOptions should be defined", + "actualValue": "Resources.BasicBroker.Properties.EncryptionOptions is not defined", + "issueType": "MissingAttribute" }, { "queryName": "AmazonMQ Broker Encryption Disabled", "severity": "HIGH", "line": 7, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker.Properties.EncryptionOptions", + "searchValue": "", + "expectedValue": "Resources.BasicBroker.Properties.EncryptionOptions should be defined", + "actualValue": "Resources.BasicBroker.Properties.EncryptionOptions is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/test/positive_expected_result.json index 15c356f85c1..acc420ed1b3 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Amplify App Access Token Exposed", "severity": "HIGH", "line": 6, - "fileName": "positive2.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Amplify::App", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp.Properties.AccessToken", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp.Properties.AccessToken must not be in plain text string", + "actualValue": "Resources.NewAmpApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { - "line": 10, - "fileName": "positive3.yaml", "queryName": "Amplify App Access Token Exposed", - "severity": "HIGH" + "severity": "HIGH", + "line": 6, + "filename": "positive2.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentAccessToken.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentAccessToken.Default should be defined", + "actualValue": "Parameters.ParentAccessToken.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { - "fileName": "positive1.yaml", "queryName": "Amplify App Access Token Exposed", "severity": "HIGH", - "line": 6 + "line": 10, + "filename": "positive3.yaml", + "resourceType": "AWS::Amplify::App", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewApp.Properties.AccessToken", + "searchValue": "", + "expectedValue": "Resources.NewApp.Properties.AccessToken must not be in plain text string", + "actualValue": "Resources.NewApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { - "line": 11, - "fileName": "positive4.json", "queryName": "Amplify App Access Token Exposed", - "severity": "HIGH" + "severity": "HIGH", + "line": 11, + "filename": "positive4.json", + "resourceType": "AWS::Amplify::App", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp.Properties.AccessToken", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp.Properties.AccessToken must not be in plain text string", + "actualValue": "Resources.NewAmpApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Amplify App Access Token Exposed", "severity": "HIGH", "line": 7, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentAccessToken.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentAccessToken.Default should be defined", + "actualValue": "Parameters.ParentAccessToken.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "Amplify App Access Token Exposed", "severity": "HIGH", "line": 9, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::Amplify::App", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewApp.Properties.AccessToken", + "searchValue": "", + "expectedValue": "Resources.NewApp.Properties.AccessToken must not be in plain text string", + "actualValue": "Resources.NewApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test/positive_expected_result.json index f96f04cb1a8..5ab8145cc3f 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", "line": 16, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Amplify::App", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", "line": 6, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentPassword.Default should be defined", + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", "line": 12, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::Amplify::App", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", "line": 12, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentPassword.Default should be defined", + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", "line": 6, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentPassword.Default should be defined", + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", "line": 12, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::Amplify::App", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/test/positive_expected_result.json index e205140998d..2772e06e9ac 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/test/positive_expected_result.json @@ -2,25 +2,53 @@ { "queryName": "Amplify App OAuth Token Exposed", "severity": "HIGH", - "line": 5, - "fileName": "positive2.yaml" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "AWS::Amplify::App", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { - "line": 4, - "fileName": "positive1.yaml", "queryName": "Amplify App OAuth Token Exposed", - "severity": "HIGH" + "severity": "HIGH", + "line": 5, + "filename": "positive2.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentPassword.Default should be defined", + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "Amplify App OAuth Token Exposed", "severity": "HIGH", "line": 5, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::Amplify::App", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Amplify App OAuth Token Exposed", "severity": "HIGH", "line": 11, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentPassword.Default should be defined", + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test/positive_expected_result.json index d6968d166f3..1fb5258084e 100644 --- a/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test/positive_expected_result.json @@ -3,37 +3,78 @@ "queryName": "Amplify Branch Basic Auth Config Password Exposed", "severity": "HIGH", "line": 18, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Amplify::Branch", + "resourceName": "NewAmpApp1", + "searchKey": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Amplify Branch Basic Auth Config Password Exposed", "severity": "HIGH", "line": 5, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentPassword.Default should be defined", + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { - "queryName": "Amplify Branch Basic Auth Config Password Exposed", "severity": "HIGH", "line": 19, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::Amplify::Branch", + "resourceName": "NewAmpApp1", + "searchKey": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Amplify Branch Basic Auth Config Password Exposed", "severity": "HIGH", "line": 35, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentPassword.Default should be defined", + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "Amplify Branch Basic Auth Config Password Exposed", "severity": "HIGH", "line": 18, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::Amplify::Branch", + "resourceName": "NewAmpApp1", + "searchKey": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Amplify Branch Basic Auth Config Password Exposed", "severity": "HIGH", "line": 19, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::Amplify::Branch", + "resourceName": "NewAmpApp1", + "searchKey": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json index 4038d0f764d..694edebdd8b 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json @@ -3,114 +3,247 @@ "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 16, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel should be defined and not null", + "actualValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 7, - "fileName": "positive2.json" + "line": 19, + "filename": "positive10.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel should be defined and not null", + "actualValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 21, - "fileName": "positive3.json" + "line": 4, + "filename": "positive11.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "MethodSettings", + "expectedValue": "Resources.Prod.Properties.MethodSettings should be defined and not null", + "actualValue": "Resources.Prod.Properties.MethodSettings are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 19, - "fileName": "positive4.json" + "line": 13, + "filename": "positive11.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel should be defined and not null", + "actualValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 6, - "fileName": "positive5.json" + "line": 21, + "filename": "positive12.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties.MethodSettings.LoggingLevel", + "searchValue": "", + "expectedValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel should not be set to OFF", + "actualValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel is OFF", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 6, - "fileName": "positive6.json" + "line": 4, + "filename": "positive13.yaml", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "DefaultRouteSettings", + "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings should be defined and not null", + "actualValue": "Resources.Prod.Properties.DefaultRouteSettings are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 7, - "fileName": "positive7.json" + "line": 14, + "filename": "positive13.yaml", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.DefaultRouteSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel should be defined and not null", + "actualValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 4, - "fileName": "positive8.yaml" + "line": 14, + "filename": "positive14.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings.LoggingLevel", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel should not be set to OFF", + "actualValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel is OFF", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 4, - "fileName": "positive9.yaml" + "line": 15, + "filename": "positive15.yaml", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel should not be set to OFF", + "actualValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel is OFF", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 19, - "fileName": "positive10.json" + "line": 4, + "filename": "positive16.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "AccessLogSetting", + "expectedValue": "'AccessLogSetting' should be defined", + "actualValue": "'AccessLogSetting' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 4, - "fileName": "positive11.yaml" + "filename": "positive17.yaml", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "AccessLogSettings", + "expectedValue": "'AccessLogSettings' should be defined", + "actualValue": "'AccessLogSettings' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 13, - "fileName": "positive11.yaml" + "line": 7, + "filename": "positive2.json", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties", + "searchValue": "DefaultRouteSettings", + "expectedValue": "Resources.MyStage.Properties.DefaultRouteSettings should be defined and not null", + "actualValue": "Resources.MyStage.Properties.DefaultRouteSettings are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 21, - "fileName": "positive12.json" + "filename": "positive3.json", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel", + "searchValue": "", + "expectedValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel should not be set to OFF", + "actualValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel is OFF", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 4, - "fileName": "positive13.yaml" + "line": 19, + "filename": "positive4.json", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties.DefaultRouteSettings", + "searchValue": "", + "expectedValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel should be defined and not null", + "actualValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 14, - "fileName": "positive13.yaml" + "line": 6, + "filename": "positive5.json", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties", + "searchValue": "AccessLogSettings", + "expectedValue": "'AccessLogSettings' should be defined", + "actualValue": "'AccessLogSettings' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 14, - "fileName": "positive14.yaml" + "line": 6, + "filename": "positive6.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties", + "searchValue": "AccessLogSetting", + "expectedValue": "'AccessLogSetting' should be defined", + "actualValue": "'AccessLogSetting' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 15, - "fileName": "positive15.yaml" + "line": 7, + "filename": "positive7.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties", + "searchValue": "MethodSettings", + "expectedValue": "Resources.MyStage.Properties.MethodSettings should be defined and not null", + "actualValue": "Resources.MyStage.Properties.MethodSettings are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 4, - "fileName": "positive16.yaml" + "filename": "positive8.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "MethodSettings", + "expectedValue": "Resources.Prod.Properties.MethodSettings should be defined and not null", + "actualValue": "Resources.Prod.Properties.MethodSettings are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 4, - "fileName": "positive17.yaml" + "filename": "positive9.yaml", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "DefaultRouteSettings", + "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings should be defined and not null", + "actualValue": "Resources.Prod.Properties.DefaultRouteSettings are undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive_expected_result.json index 5c7f7c57d03..747e281a18e 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos1.Properties", + "searchValue": "", + "expectedValue": "Resources.ProdPos1.Properties.CacheClusterEnabled should be defined and not null", + "actualValue": "Resources.ProdPos1.Properties.CacheClusterEnabled is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", "line": 31, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos2.Properties.CacheClusterEnabled", + "searchValue": "", + "expectedValue": "Resources.ProdPos2.Properties.CacheClusterEnabled should be set to true", + "actualValue": "Resources.ProdPos2.Properties.CacheClusterEnabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", "line": 6, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos1.Properties", + "searchValue": "", + "expectedValue": "Resources.ProdPos1.Properties.CacheClusterEnabled should be defined and not null", + "actualValue": "Resources.ProdPos1.Properties.CacheClusterEnabled is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", "line": 6, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos2.Properties.CacheClusterEnabled", + "searchValue": "", + "expectedValue": "Resources.ProdPos2.Properties.CacheClusterEnabled should be set to true", + "actualValue": "Resources.ProdPos2.Properties.CacheClusterEnabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", "line": 31, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos2.Properties.CacheClusterEnabled", + "searchValue": "", + "expectedValue": "Resources.ProdPos2.Properties.CacheClusterEnabled should be set to true", + "actualValue": "Resources.ProdPos2.Properties.CacheClusterEnabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", "line": 6, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos2.Properties.CacheClusterEnabled", + "searchValue": "", + "expectedValue": "Resources.ProdPos2.Properties.CacheClusterEnabled should be set to true", + "actualValue": "Resources.ProdPos2.Properties.CacheClusterEnabled is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/test/positive_expected_result.json index fc1ce51db13..2a494cb27e2 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/test/positive_expected_result.json @@ -1,38 +1,80 @@ [ { - "fileName": "positive1.yaml", "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 8 + "line": 8, + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.Deployment.Properties.StageDescription", + "searchValue": "", + "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be defined and not null", + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is undefined or null", + "issueType": "MissingAttribute" }, { - "fileName": "positive2.json", "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 11 + "line": 11, + "filename": "positive2.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.Deployment.Properties.StageDescription", + "searchValue": "", + "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be defined and not null", + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is undefined or null", + "issueType": "MissingAttribute" }, { - "fileName": "positive3.yaml", "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 9 + "line": 9, + "filename": "positive3.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.Deployment.Properties.StageDescription.CacheDataEncrypted", + "searchValue": "", + "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be set to true", + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is set to false", + "issueType": "IncorrectValue" }, { - "fileName": "positive4.json", "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 12 + "line": 12, + "filename": "positive4.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.Deployment.Properties.StageDescription.CacheDataEncrypted", + "searchValue": "", + "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be set to true", + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is set to false", + "issueType": "IncorrectValue" }, { - "fileName": "positive5.yaml", "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 9 + "line": 9, + "filename": "positive5.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.Deployment.Properties.StageDescription.CacheDataEncrypted", + "searchValue": "", + "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be set to true", + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is set to false", + "issueType": "IncorrectValue" }, { - "fileName": "positive6.json", "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 12 + "line": 12, + "filename": "positive6.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.Deployment.Properties.StageDescription.CacheDataEncrypted", + "searchValue": "", + "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be set to true", + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json index 348bf203e11..6ff9c9c2d85 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json @@ -2,37 +2,79 @@ { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.yaml" + "line": 29, + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting", + "searchValue": "", + "expectedValue": "Resources.ApiDeployment.Properties.StageDescriptionAccessLogSetting should be defined", + "actualValue": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting is not defined", + "issueType": "MissingAttribute" }, { - "fileName": "positive3.yaml", "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", - "line": 21 + "line": 21, + "filename": "positive2.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.ApiDeployment1", + "searchValue": "", + "expectedValue": "Resources.ApiDeployment1 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same as the ApiGateway::Stage resource", + "actualValue": "Resources.ApiDeployment1 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", - "line": 29, - "fileName": "positive1.yaml" + "line": 21, + "filename": "positive3.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.ApiDeployment2", + "searchValue": "", + "expectedValue": "Resources.ApiDeployment2 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same as the ApiGateway::Stage resource", + "actualValue": "Resources.ApiDeployment2 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource", + "issueType": "IncorrectValue" }, { - "fileName": "positive4.json", "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive4.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting", + "searchValue": "", + "expectedValue": "Resources.ApiDeployment.Properties.StageDescriptionAccessLogSetting should be defined", + "actualValue": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting is not defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", "line": 31, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.ApiDeployment1", + "searchValue": "", + "expectedValue": "Resources.ApiDeployment1 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same as the ApiGateway::Stage resource", + "actualValue": "Resources.ApiDeployment1 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", "line": 31, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.ApiDeployment2", + "searchValue": "", + "expectedValue": "Resources.ApiDeployment2 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same as the ApiGateway::Stage resource", + "actualValue": "Resources.ApiDeployment2 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json index 98171acb95d..cd7f3ea6269 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "Prod", + "searchKey": "Resources.Deployment", + "searchValue": "", + "expectedValue": "Resources.Deployment should have UsagePlan defined", + "actualValue": "Resources.Deployment doesn't have UsagePlan defined", + "issueType": "MissingAttribute" }, { - "line": 4, - "fileName": "positive2.yaml", "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", - "severity": "LOW" + "severity": "LOW", + "line": 4, + "filename": "positive2.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "Prod", + "searchKey": "Resources.Deployment1", + "searchValue": "", + "expectedValue": "Resources.Deployment1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Deployment1 resource", + "actualValue": "Resources.Deployment1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment1 resource", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 4, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "Prod1", + "searchKey": "Resources.Deployment2", + "searchValue": "", + "expectedValue": "Resources.Deployment2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Deployment2 resource", + "actualValue": "Resources.Deployment2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment2 resource", + "issueType": "IncorrectValue" }, { - "line": 5, - "fileName": "positive4.json", "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", - "severity": "LOW" + "severity": "LOW", + "line": 5, + "filename": "positive4.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "Prod", + "searchKey": "Resources.Deployment", + "searchValue": "", + "expectedValue": "Resources.Deployment should have UsagePlan defined", + "actualValue": "Resources.Deployment doesn't have UsagePlan defined", + "issueType": "MissingAttribute" }, { - "fileName": "positive5.json", "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 5 + "line": 5, + "filename": "positive5.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "Prod", + "searchKey": "Resources.Deployment1", + "searchValue": "", + "expectedValue": "Resources.Deployment1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Deployment1 resource", + "actualValue": "Resources.Deployment1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment1 resource", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 5, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "Prod1", + "searchKey": "Resources.Deployment2", + "searchValue": "", + "expectedValue": "Resources.Deployment2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Deployment2 resource", + "actualValue": "Resources.Deployment2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment2 resource", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json index 61437b8b033..fefed42415f 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "API Gateway Endpoint Config is Not Private", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi", + "searchKey": "Resources.MyRestApi.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyRestApi.EndpointConfiguration' should be defined", + "actualValue": "'Resources.MyRestApi.EndpointConfiguration' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Endpoint Config is Not Private", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi2", + "searchKey": "Resources.MyRestApi2.Properties.EndpointConfiguration.Types", + "searchValue": "", + "expectedValue": "'Resources.MyRestApi2.EndpointConfiguration.Types' should contain 'PRIVATE'", + "actualValue": "'Resources.MyRestApi2.EndpointConfiguration.Types' does not contain 'PRIVATE'", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Endpoint Config is Not Private", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi", + "searchKey": "Resources.MyRestApi.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyRestApi.EndpointConfiguration' should be defined", + "actualValue": "'Resources.MyRestApi.EndpointConfiguration' is undefined", + "issueType": "MissingAttribute" }, { - "line": 14, - "fileName": "positive2.json", "queryName": "API Gateway Endpoint Config is Not Private", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 14, + "filename": "positive2.json", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi2", + "searchKey": "Resources.MyRestApi2.Properties.EndpointConfiguration.Types", + "searchValue": "", + "expectedValue": "'Resources.MyRestApi2.EndpointConfiguration.Types' should contain 'PRIVATE'", + "actualValue": "'Resources.MyRestApi2.EndpointConfiguration.Types' does not contain 'PRIVATE'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json index 2862d01c542..72a94c5e2e3 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod", + "searchKey": "Resources.MockMethod.Properties.ApiKeyRequired", + "searchValue": "", + "expectedValue": "Resources.MockMethod.Properties.ApiKeyRequired should be true", + "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod1", + "searchKey": "Resources.MockMethod1.Properties", + "searchValue": "", + "expectedValue": "Resources.MockMethod1.Properties.ApiKeyRequired should be defined", + "actualValue": "Resources.MockMethod1.Properties.ApiKeyRequired is undefined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", "line": 13, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod", + "searchKey": "Resources.MockMethod.Properties.ApiKeyRequired", + "searchValue": "", + "expectedValue": "Resources.MockMethod.Properties.ApiKeyRequired should be true", + "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", "line": 6, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod1", + "searchKey": "Resources.MockMethod1.Properties", + "searchValue": "", + "expectedValue": "Resources.MockMethod1.Properties.ApiKeyRequired should be defined", + "actualValue": "Resources.MockMethod1.Properties.ApiKeyRequired is undefined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", "line": 13, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod", + "searchKey": "Resources.MockMethod.Properties.ApiKeyRequired", + "searchValue": "", + "expectedValue": "Resources.MockMethod.Properties.ApiKeyRequired should be true", + "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", "line": 7, - "fileName": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod", + "searchKey": "Resources.MockMethod.Properties.ApiKeyRequired", + "searchValue": "", + "expectedValue": "Resources.MockMethod.Properties.ApiKeyRequired should be true", + "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json index bc88b844206..1beac9d582d 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json @@ -1,38 +1,80 @@ [ { + "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 4, - "fileName": "positive1.yaml", - "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated" + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod", + "searchValue": "", + "expectedValue": "Resources.Prod should have UsagePlan defined", + "actualValue": "Resources.Prod doesn't have UsagePlan defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 4, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod1", + "searchValue": "", + "expectedValue": "Resources.Prod1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Prod1 resource", + "actualValue": "Resources.Prod1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Prod1 resource", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 4, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod2", + "searchValue": "", + "expectedValue": "Resources.Prod2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Prod2 resource", + "actualValue": "Resources.Prod2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Prod2 resource", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 5, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod", + "searchValue": "", + "expectedValue": "Resources.Prod should have UsagePlan defined", + "actualValue": "Resources.Prod doesn't have UsagePlan defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 5, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod1", + "searchValue": "", + "expectedValue": "Resources.Prod1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Prod1 resource", + "actualValue": "Resources.Prod1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Prod1 resource", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 5, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod2", + "searchValue": "", + "expectedValue": "Resources.Prod2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Prod2 resource", + "actualValue": "Resources.Prod2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Prod2 resource", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json index 476b31885dd..64dc2af3645 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "API Gateway With Invalid Compression", "severity": "LOW", "line": 17, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myApi", + "searchKey": "Resources.RestApi3.Properties.MinimumCompressionSize", + "searchValue": "", + "expectedValue": "Resources.RestApi3.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.RestApi3.Properties.MinimumCompressionSize is set to smaller than 0", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 22, - "fileName": "positive4.json" + "line": 17, + "filename": "positive2.yaml", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myApi", + "searchKey": "Resources.RestApi4.Properties.MinimumCompressionSize", + "searchValue": "", + "expectedValue": "Resources.RestApi4.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.RestApi4.Properties.MinimumCompressionSize is set to greater than 10485759", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 17, - "fileName": "positive2.yaml" + "line": 5, + "filename": "positive3.yaml", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myApi", + "searchKey": "Resources.RestApi5.Properties", + "searchValue": "", + "expectedValue": "Resources.RestApi5.Properties.MinimumCompressionSize should be defined", + "actualValue": "Resources.RestApi5.Properties.MinimumCompressionSize is not defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", "line": 22, - "fileName": "positive5.json" + "filename": "positive4.json", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myApi", + "searchKey": "Resources.RestApi6.Properties.MinimumCompressionSize", + "searchValue": "", + "expectedValue": "Resources.RestApi6.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.RestApi6.Properties.MinimumCompressionSize is set to smaller than 0", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 5, - "fileName": "positive3.yaml" + "line": 22, + "filename": "positive5.json", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myApi", + "searchKey": "Resources.RestApi7.Properties.MinimumCompressionSize", + "searchValue": "", + "expectedValue": "Resources.RestApi7.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.RestApi7.Properties.MinimumCompressionSize is set to greater than 10485759", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", "line": 5, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myApi", + "searchKey": "Resources.RestApi8.Properties", + "searchValue": "", + "expectedValue": "Resources.RestApi8.Properties.MinimumCompressionSize should be defined", + "actualValue": "Resources.RestApi8.Properties.MinimumCompressionSize is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/api_gateway_with_open_access/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_with_open_access/test/positive_expected_result.json index 75c0bb8a047..228fbc44785 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_with_open_access/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_with_open_access/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "API Gateway With Open Access", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod", + "searchKey": "Resources.MockMethod.Properties", + "searchValue": "", + "expectedValue": "Resources.MockMethod.Properties.AuthorizationType is NONE and Resources.MockMethod.Properties.HttpMethod should be OPTIONS", + "actualValue": "Resources.MockMethod.Properties.AuthorizationType is NONE and Resources.MockMethod.Properties.HttpMethod is not OPTIONS", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway With Open Access", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod", + "searchKey": "Resources.MockMethod.Properties", + "searchValue": "", + "expectedValue": "Resources.MockMethod.Properties.AuthorizationType is NONE and Resources.MockMethod.Properties.HttpMethod should be OPTIONS", + "actualValue": "Resources.MockMethod.Properties.AuthorizationType is NONE and Resources.MockMethod.Properties.HttpMethod is not OPTIONS", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json index f12a5dcc457..9d0f2318235 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 3, - "fileName": "positive3.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGatewayV2::Api", + "resourceName": "TL-Dev-WebSocket-API", + "searchKey": "Resources.DevWebSocket", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 3, - "fileName": "positive4.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::ApiGatewayV2::Api", + "resourceName": "TL-Dev-WebSocket-API", + "searchKey": "Resources.DevWebSocket5", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", - "line": 4, - "fileName": "positive7.json" + "line": 3, + "filename": "positive3.yaml", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi", + "searchKey": "Resources.MyRestApi6", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", - "line": 4, - "fileName": "positive8.json" + "line": 3, + "filename": "positive4.yaml", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi", + "searchKey": "Resources.MyRestApi7", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", - "line": 3, - "fileName": "positive1.yaml" + "line": 4, + "filename": "positive5.json", + "resourceType": "AWS::ApiGatewayV2::Api", + "resourceName": "TL-Dev-WebSocket-API", + "searchKey": "Resources.DevWebSocket8", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", - "line": 3, - "fileName": "positive2.yaml" + "line": 20, + "filename": "positive6.json", + "resourceType": "AWS::ApiGatewayV2::Api", + "resourceName": "TL-Dev-WebSocket-API", + "searchKey": "Resources.DevWebSocket9", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 4, - "fileName": "positive5.json" + "filename": "positive7.json", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi", + "searchKey": "Resources.MyRestApi10", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", - "line": 20, - "fileName": "positive6.json" + "line": 4, + "filename": "positive8.json", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi", + "searchKey": "Resources.MyRestApi11", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/test/positive_expected_result.json index b41df1f3039..1d14375b515 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/test/positive_expected_result.json @@ -2,25 +2,53 @@ { "queryName": "API Gateway Without Security Policy", "severity": "MEDIUM", - "line": 13, - "fileName": "positive2.yaml" + "line": 20, + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::DomainName", + "resourceName": "cfnDomainName", + "searchKey": "Resources.myDomainName.Properties.SecurityPolicy", + "searchValue": "", + "expectedValue": "Resources.myDomainName.Properties.SecurityPolicy should be TLS_1_2", + "actualValue": "Resources.myDomainName.Properties.SecurityPolicy should be TLS_1_2", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Without Security Policy", "severity": "MEDIUM", - "line": 20, - "fileName": "positive1.yaml" + "line": 13, + "filename": "positive2.yaml", + "resourceType": "AWS::ApiGateway::DomainName", + "resourceName": "cfnDomainName", + "searchKey": "Resources.myDomainName1.Properties.SecurityPolicy", + "searchValue": "", + "expectedValue": "Resources.myDomainName1.Properties.SecurityPolicy should not be defined", + "actualValue": "Resources.myDomainName1.Properties.SecurityPolicy is defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Without Security Policy", "severity": "MEDIUM", "line": 26, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::ApiGateway::DomainName", + "resourceName": "cfnDomainName", + "searchKey": "Resources.myDomainName.Properties.SecurityPolicy", + "searchValue": "", + "expectedValue": "Resources.myDomainName.Properties.SecurityPolicy should be TLS_1_2", + "actualValue": "Resources.myDomainName.Properties.SecurityPolicy should be TLS_1_2", + "issueType": "IncorrectValue" }, { - "fileName": "positive4.json", "queryName": "API Gateway Without Security Policy", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive4.json", + "resourceType": "AWS::ApiGateway::DomainName", + "resourceName": "cfnDomainName", + "searchKey": "Resources.myDomainName1.Properties.SecurityPolicy", + "searchValue": "", + "expectedValue": "Resources.myDomainName1.Properties.SecurityPolicy should not be defined", + "actualValue": "Resources.myDomainName1.Properties.SecurityPolicy is defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json index 7809abfcec6..9a39af39bd9 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "API Gateway Without SSL Certificate", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdApiGatewayStagePos.Properties", + "searchValue": "", + "expectedValue": "Resources.ProdApiGatewayStagePos.Properties should have ClientCertificateId defined", + "actualValue": "Resources.ProdApiGatewayStagePos.Properties doesn't have ClientCertificateId defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Without SSL Certificate", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdApiGatewayStagePos2.Properties", + "searchValue": "", + "expectedValue": "Resources.ProdApiGatewayStagePos2.Properties should have ClientCertificateId defined", + "actualValue": "Resources.ProdApiGatewayStagePos2.Properties doesn't have ClientCertificateId defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_waf/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_without_waf/test/positive_expected_result.json index 6bd883801f4..647f4ca2a54 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_waf/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_waf/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { "queryName": "API Gateway without WAF", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.StageName", + "searchValue": "", + "expectedValue": "API Gateway Stage should be associated with a Web Application Firewall", + "actualValue": "API Gateway Stage is not associated with a Web Application Firewall", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway without WAF", "severity": "MEDIUM", "line": 33, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.StageName", + "searchValue": "", + "expectedValue": "API Gateway Stage should be associated with a Web Application Firewall", + "actualValue": "API Gateway Stage is not associated with a Web Application Firewall", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/test/positive_expected_result.json index 8eeda87f4fb..b31be0e31cb 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", "line": 13, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos3.Properties.TracingEnabled", + "searchValue": "", + "expectedValue": "Resources.ProdPos3.Properties.TracingEnabled should be true", + "actualValue": "Resources.ProdPos3.Properties.TracingEnabled is false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", "line": 6, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos4.Properties", + "searchValue": "", + "expectedValue": "Resources.ProdPos4.Properties.TracingEnabled should be defined", + "actualValue": "Resources.ProdPos4.Properties.TracingEnabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", "line": 23, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos1.Properties.TracingEnabled", + "searchValue": "", + "expectedValue": "Resources.ProdPos1.Properties.TracingEnabled should be true", + "actualValue": "Resources.ProdPos1.Properties.TracingEnabled is false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", "line": 6, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos2.Properties", + "searchValue": "", + "expectedValue": "Resources.ProdPos2.Properties.TracingEnabled should be defined", + "actualValue": "Resources.ProdPos2.Properties.TracingEnabled is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json index 8e31712dcf2..359d22060c4 100644 --- a/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json @@ -1,38 +1,80 @@ [ { - "line": 28, - "fileName": "positive1.yaml", "queryName": "Auto Scaling Group With No Associated ELB", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 28, + "filename": "positive1.yaml", + "resourceType": "AWS::AutoScaling::AutoScalingGroup", + "resourceName": "myASG", + "searchKey": "Resources.myASG.Properties", + "searchValue": "", + "expectedValue": "'Resources.myASG.Properties.LoadBalancerNames' should be defined", + "actualValue": "'Resources.myASG.Properties.LoadBalancerNames' is not defined", + "issueType": "MissingAttribute" }, { - "fileName": "positive1.yaml", "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", - "line": 60 + "line": 60, + "filename": "positive1.yaml", + "resourceType": "AWS::AutoScaling::AutoScalingGroup", + "resourceName": "myASG2", + "searchKey": "Resources.myASG2.Properties.LoadBalancerNames", + "searchValue": "", + "expectedValue": "'Resources.myASG2.Properties.LoadBalancerNames' should not be empty", + "actualValue": "'Resources.myASG2.Properties.LoadBalancerNames' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 87, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::AutoScaling::AutoScalingGroup", + "resourceName": "myASG", + "searchKey": "Resources.myASG3.Properties.LoadBalancerNames", + "searchValue": "", + "expectedValue": "'Resources.myASG3.Properties.LoadBalancerNames' should not be empty", + "actualValue": "'Resources.myASG3.Properties.LoadBalancerNames' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 38, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::AutoScaling::AutoScalingGroup", + "resourceName": "myASG", + "searchKey": "Resources.myASG.Properties", + "searchValue": "", + "expectedValue": "'Resources.myASG.Properties.LoadBalancerNames' should be defined", + "actualValue": "'Resources.myASG.Properties.LoadBalancerNames' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 78, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::AutoScaling::AutoScalingGroup", + "resourceName": "myASG2", + "searchKey": "Resources.myASG2.Properties.LoadBalancerNames", + "searchValue": "", + "expectedValue": "'Resources.myASG2.Properties.LoadBalancerNames' should not be empty", + "actualValue": "'Resources.myASG2.Properties.LoadBalancerNames' is empty", + "issueType": "IncorrectValue" }, { - "fileName": "positive2.json", "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", - "line": 126 + "line": 126, + "filename": "positive2.json", + "resourceType": "AWS::AutoScaling::AutoScalingGroup", + "resourceName": "myASG", + "searchKey": "Resources.myASG3.Properties.LoadBalancerNames", + "searchValue": "", + "expectedValue": "'Resources.myASG3.Properties.LoadBalancerNames' should not be empty", + "actualValue": "'Resources.myASG3.Properties.LoadBalancerNames' is empty", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json index a7a2b2484ab..93e627b36bc 100644 --- a/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 18, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' should be defined", + "actualValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 42, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB2.Properties.AutoMinorVersionUpgrade", + "searchValue": "", + "expectedValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' should be true", + "actualValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' is false", + "issueType": "IncorrectValue" }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 17, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' should be defined", + "actualValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 44, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB2.Properties.AutoMinorVersionUpgrade", + "searchValue": "", + "expectedValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' should be true", + "actualValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' is false", + "issueType": "IncorrectValue" }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 18, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' should be defined", + "actualValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 42, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB2.Properties.AutoMinorVersionUpgrade", + "searchValue": "", + "expectedValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' should be true", + "actualValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' is false", + "issueType": "IncorrectValue" }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 17, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' should be defined", + "actualValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 44, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB2.Properties.AutoMinorVersionUpgrade", + "searchValue": "", + "expectedValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' should be true", + "actualValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json index 2a6d712aed3..b4e3278d547 100644 --- a/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Batch Job Definition With Privileged Container Properties", "severity": "HIGH", "line": 21, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Batch::JobDefinition", + "resourceName": "nvidia-smi", + "searchKey": "Resources.JobDefinition.Properties.ContainerProperties.Privileged", + "searchValue": "", + "expectedValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged should be set to false", + "actualValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged is true", + "issueType": "IncorrectValue" }, { "queryName": "Batch Job Definition With Privileged Container Properties", "severity": "HIGH", "line": 12, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::Batch::JobDefinition", + "resourceName": "nvidia-smi", + "searchKey": "Resources.JobDefinition.Properties.ContainerProperties.Privileged", + "searchValue": "", + "expectedValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged should be set to false", + "actualValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged is true", + "issueType": "IncorrectValue" }, { "queryName": "Batch Job Definition With Privileged Container Properties", "severity": "HIGH", "line": 21, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::Batch::JobDefinition", + "resourceName": "nvidia-smi", + "searchKey": "Resources.JobDefinition.Properties.ContainerProperties.Privileged", + "searchValue": "", + "expectedValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged should be set to false", + "actualValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged is true", + "issueType": "IncorrectValue" }, { "queryName": "Batch Job Definition With Privileged Container Properties", "severity": "HIGH", "line": 12, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::Batch::JobDefinition", + "resourceName": "nvidia-smi", + "searchKey": "Resources.JobDefinition.Properties.ContainerProperties.Privileged", + "searchValue": "", + "expectedValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged should be set to false", + "actualValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged is true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/test/positive_expected_result.json index 939db20c092..8077cb67c2e 100644 --- a/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/test/positive_expected_result.json @@ -3,72 +3,156 @@ "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 14, - "fileName": "positive1.json" + "filename": "positive1.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 12, - "fileName": "positive2.yaml" + "filename": "positive10.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 12, - "fileName": "positive3.json" + "line": 15, + "filename": "positive11.json", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "MyLaunchConfiguration", + "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 10, - "fileName": "positive4.yaml" + "line": 12, + "filename": "positive12.yaml", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "MyLaunchConfiguration", + "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 15, - "fileName": "positive5.json" + "line": 12, + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 12, - "fileName": "positive6.yaml" + "filename": "positive3.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 13, - "fileName": "positive7.json" + "line": 10, + "filename": "positive4.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 10, - "fileName": "positive8.yaml" + "line": 15, + "filename": "positive5.json", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "MyLaunchConfiguration", + "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 14, - "fileName": "positive9.json" + "line": 12, + "filename": "positive6.yaml", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "MyLaunchConfiguration", + "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 12, - "fileName": "positive10.yaml" + "line": 13, + "filename": "positive7.json", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "MyLaunchConfiguration", + "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 15, - "fileName": "positive11.json" + "line": 10, + "filename": "positive8.yaml", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "MyLaunchConfiguration", + "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", - "line": 12, - "fileName": "positive12.yaml" + "line": 14, + "filename": "positive9.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/test/positive_expected_result.json index 2dc7aa82920..c16b62e99af 100644 --- a/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "CDN Configuration Is Missing", "severity": "LOW", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig should contain an 'Origins' object", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig does not contain an 'Origins' object configured", + "issueType": "MissingAttribute" }, { "queryName": "CDN Configuration Is Missing", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.Enabled", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.Enabled should be 'true'", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.Enabled is configured as 'false'", + "issueType": "IncorrectValue" }, { + "queryName": "CDN Configuration Is Missing", "severity": "LOW", "line": 7, - "fileName": "positive2.json", - "queryName": "CDN Configuration Is Missing" + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig should contain an 'Origins' object", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig does not contain an 'Origins' object configured", + "issueType": "MissingAttribute" }, { - "fileName": "positive2.json", "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 15 + "line": 15, + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.Enabled", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.Enabled should be 'true'", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.Enabled is configured as 'false'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/test/positive_expected_result.json index 8ce4013218e..42e53eda972 100644 --- a/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/test/positive_expected_result.json @@ -1,38 +1,80 @@ [ { + "queryName": "CloudFormation Specifying Credentials Not Safe", "severity": "MEDIUM", "line": 33, - "fileName": "positive1.yaml", - "queryName": "CloudFormation Specifying Credentials Not Safe" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "WebServer", + "searchKey": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId", + "searchValue": "", + "expectedValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId should not exist", + "actualValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId exists", + "issueType": "MissingAttribute" }, { "queryName": "CloudFormation Specifying Credentials Not Safe", "severity": "MEDIUM", "line": 35, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "WebServer", + "searchKey": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey", + "searchValue": "", + "expectedValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey should not exist", + "actualValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey exists", + "issueType": "MissingAttribute" }, { "queryName": "CloudFormation Specifying Credentials Not Safe", "severity": "MEDIUM", "line": 71, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "WebServer2", + "searchKey": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password", + "searchValue": "", + "expectedValue": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password should not exist", + "actualValue": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password exists", + "issueType": "MissingAttribute" }, { "queryName": "CloudFormation Specifying Credentials Not Safe", "severity": "MEDIUM", "line": 48, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "WebServer", + "searchKey": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId", + "searchValue": "", + "expectedValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId should not exist", + "actualValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId exists", + "issueType": "MissingAttribute" }, { - "line": 51, - "fileName": "positive2.json", "queryName": "CloudFormation Specifying Credentials Not Safe", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 51, + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "WebServer", + "searchKey": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey", + "searchValue": "", + "expectedValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey should not exist", + "actualValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey exists", + "issueType": "MissingAttribute" }, { "queryName": "CloudFormation Specifying Credentials Not Safe", "severity": "MEDIUM", "line": 112, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "WebServer2", + "searchKey": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password", + "searchValue": "", + "expectedValue": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password should not exist", + "actualValue": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password exists", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/test/positive_expected_result.json index 309047d4b3d..251b50fbdd4 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution1", + "searchKey": "Resources.myDistribution1.Properties", + "searchValue": "", + "expectedValue": "Resources.myDistribution1.Properties.DistributionConfig.Logging should be defined", + "actualValue": "Resources.myDistribution1.Properties.DistributionConfig.Logging is undefined", + "issueType": "MissingAttribute" }, { - "line": 30, - "fileName": "positive2.yaml", "queryName": "CloudFront Logging Disabled", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 30, + "filename": "positive2.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution2", + "searchKey": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket", + "searchValue": "", + "expectedValue": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket should have the domain '.s3.amazonaws.com'", + "actualValue": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket does not have the correct domain", + "issueType": "IncorrectValue" }, { - "line": 6, - "fileName": "positive3.json", "queryName": "CloudFront Logging Disabled", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 6, + "filename": "positive3.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution1", + "searchKey": "Resources.myDistribution1.Properties", + "searchValue": "", + "expectedValue": "Resources.myDistribution1.Properties.DistributionConfig.Logging should be defined", + "actualValue": "Resources.myDistribution1.Properties.DistributionConfig.Logging is undefined", + "issueType": "MissingAttribute" }, { - "line": 40, - "fileName": "positive4.json", "queryName": "CloudFront Logging Disabled", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 40, + "filename": "positive4.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution2", + "searchKey": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket", + "searchValue": "", + "expectedValue": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket should have the domain '.s3.amazonaws.com'", + "actualValue": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket does not have the correct domain", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json index 6d69099acae..2e3286f29b8 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", "line": 13, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_1", + "searchKey": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy is 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy is 'allow-all'", + "issueType": "IncorrectValue" }, { + "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", "line": 30, - "fileName": "positive1.yaml", - "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_2", + "searchKey": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy is 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy is 'allow-all'", + "issueType": "IncorrectValue" }, { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_2", + "searchKey": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy is 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy is 'allow-all'", + "issueType": "IncorrectValue" }, { - "fileName": "positive2.json", "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", - "line": 50 + "line": 50, + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_1", + "searchKey": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy is 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy is 'allow-all'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json index 53cec9a0d72..f768dfdfc38 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", "line": 25, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion' should be TLSv1.2_x", + "actualValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion' is TLSv1.1_2016", + "issueType": "IncorrectValue" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", "line": 33, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution2", + "searchKey": "Resources.cloudfrontdistribution2.Properties.DistributionConfig", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution2.Properties.DistributionConfig.ViewerCertificate' should be defined", + "actualValue": "Resources.cloudfrontdistribution2.Properties.DistributionConfig.ViewerCertificate' is undefined", + "issueType": "MissingAttribute" }, { - "line": 55, - "fileName": "positive2.json", "queryName": "CloudFront Without Minimum Protocol TLS 1.2", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 11, + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion' should be TLSv1.2_x", + "actualValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion' is TLSv1.1_2016", + "issueType": "IncorrectValue" }, { + "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.json", - "queryName": "CloudFront Without Minimum Protocol TLS 1.2" + "line": 55, + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution2", + "searchKey": "Resources.cloudfrontdistribution2.Properties.DistributionConfig", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution2.Properties.DistributionConfig.ViewerCertificate' should be defined", + "actualValue": "Resources.cloudfrontdistribution2.Properties.DistributionConfig.ViewerCertificate' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive_expected_result.json index ed9820e4c0b..6ad894b0192 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "CloudFront Without WAF", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId should be defined", + "actualValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId is undefined", + "issueType": "MissingAttribute" }, { - "fileName": "positive2.json", "queryName": "CloudFront Without WAF", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId should be defined", + "actualValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId is undefined", + "issueType": "MissingAttribute" }, { - "fileName": "positive3.yaml", "queryName": "CloudFront Without WAF", "severity": "MEDIUM", - "line": 21 + "line": 21, + "filename": "positive3.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId", + "searchValue": "", + "expectedValue": "Resources..Properties.DistributionConfig.WebACLId should be properly defined", + "actualValue": "Resources..Properties.DistributionConfig.WebACLId contains invalid value", + "issueType": "IncorrectValue" }, { - "fileName": "positive4.json", "queryName": "CloudFront Without WAF", "severity": "MEDIUM", - "line": 36 + "line": 36, + "filename": "positive4.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId", + "searchValue": "", + "expectedValue": "Resources..Properties.DistributionConfig.WebACLId should be properly defined", + "actualValue": "Resources..Properties.DistributionConfig.WebACLId contains invalid value", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json index 0a532feff98..05e2ccfc9ce 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "line": 62, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.EnableLogFileValidation' should exist", + "actualValue": "'Resources.myTrail.Properties.EnableLogFileValidation' is missing", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "line": 77, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail2", + "searchKey": "Resources.myTrail2.Properties.EnableLogFileValidation", + "searchValue": "", + "expectedValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' should be true", + "actualValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' is not true", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "line": 87, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.EnableLogFileValidation' should exist", + "actualValue": "'Resources.myTrail.Properties.EnableLogFileValidation' is missing", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "line": 108, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail2", + "searchKey": "Resources.myTrail2.Properties.EnableLogFileValidation", + "searchValue": "", + "expectedValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' should be true", + "actualValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' is not true", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "line": 62, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.EnableLogFileValidation' should exist", + "actualValue": "'Resources.myTrail.Properties.EnableLogFileValidation' is missing", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "line": 77, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail2", + "searchKey": "Resources.myTrail2.Properties.EnableLogFileValidation", + "searchValue": "", + "expectedValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' should be true", + "actualValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' is not true", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "line": 87, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.EnableLogFileValidation' should exist", + "actualValue": "'Resources.myTrail.Properties.EnableLogFileValidation' is missing", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "line": 108, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail2", + "searchKey": "Resources.myTrail2.Properties.EnableLogFileValidation", + "searchValue": "", + "expectedValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' should be true", + "actualValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' is not true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json index 0c9a19e668c..34c2b2eaff4 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", "line": 62, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.KMSKeyId' should be defined and not null", + "actualValue": "'Resources.myTrail.Properties.KMSKeyId' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", "line": 53, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.KMSKeyId' should be defined and not null", + "actualValue": "'Resources.myTrail.Properties.KMSKeyId' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", "line": 6, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.KMSKeyId' should be defined and not null", + "actualValue": "'Resources.myTrail.Properties.KMSKeyId' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/test/positive_expected_result.json index 989c8dbedb1..ac7303c07d0 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 19, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail3", + "searchKey": "Resources.myTrail3.Properties.IsLogging", + "searchValue": "", + "expectedValue": "'Resources.myTrail3.Properties.IsLogging' should be true", + "actualValue": "'Resources.myTrail3.Properties.IsLogging' is false", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 34, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail4", + "searchKey": "Resources.myTrail4.Properties.IsLogging", + "searchValue": "", + "expectedValue": "'Resources.myTrail4.Properties.IsLogging' should be true", + "actualValue": "'Resources.myTrail4.Properties.IsLogging' is false", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 25, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail5", + "searchKey": "Resources.myTrail5.Properties.IsLogging", + "searchValue": "", + "expectedValue": "'Resources.myTrail5.Properties.IsLogging' should be true", + "actualValue": "'Resources.myTrail5.Properties.IsLogging' is false", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 45, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail6", + "searchKey": "Resources.myTrail6.Properties.IsLogging", + "searchValue": "", + "expectedValue": "'Resources.myTrail6.Properties.IsLogging' should be true", + "actualValue": "'Resources.myTrail6.Properties.IsLogging' is false", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 20, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties.IsLogging", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.IsLogging' should be true", + "actualValue": "'Resources.myTrail.Properties.IsLogging' is false", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 25, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail5", + "searchKey": "Resources.myTrail5.Properties.IsLogging", + "searchValue": "", + "expectedValue": "'Resources.myTrail5.Properties.IsLogging' should be true", + "actualValue": "'Resources.myTrail5.Properties.IsLogging' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json index ed813dff05c..b60f47ec0d6 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json @@ -1,32 +1,67 @@ [ - { + { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", "line": 70, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties.IsMultiRegionTrail", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' should be true", + "actualValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' is not true", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", "line": 76, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail2", + "searchKey": "Resources.myTrail2.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail2.Properties.IsMultiRegionTrail' should exist", + "actualValue": "'Resources.myTrail2.Properties.IsMultiRegionTrail' is missing", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", "line": 17, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties.IsMultiRegionTrail", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' should be true", + "actualValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' is not true", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", "line": 32, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail2", + "searchKey": "Resources.myTrail2.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail2.Properties.IsMultiRegionTrail' should exist", + "actualValue": "'Resources.myTrail2.Properties.IsMultiRegionTrail' is missing", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", "line": 70, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties.IsMultiRegionTrail", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' should be true", + "actualValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' is not true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json index 309385fe204..50de33de32f 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json @@ -1,50 +1,106 @@ [ { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 62, - "fileName": "positive1.yaml", - "queryName": "CloudTrail Not Integrated With CloudWatch" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "CloudWatchLogsLogGroupArn", + "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' should be declared", + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' is not declared", + "issueType": "MissingAttribute" }, { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 62, - "fileName": "positive1.yaml", - "queryName": "CloudTrail Not Integrated With CloudWatch" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "CloudWatchLogsRoleArn", + "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' should be declared", + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' is not declared", + "issueType": "MissingAttribute" }, { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 62, - "fileName": "positive2.yaml", - "queryName": "CloudTrail Not Integrated With CloudWatch" + "filename": "positive2.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail2", + "searchKey": "Resources.myTrail2.Properties", + "searchValue": "CloudWatchLogsLogGroupArn", + "expectedValue": "'Resources.myTrail2.Properties.CloudWatchLogsLogGroupArn' should be declared", + "actualValue": "'Resources.myTrail2.Properties.CloudWatchLogsLogGroupArn' is not declared", + "issueType": "MissingAttribute" }, { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 62, - "fileName": "positive3.yaml", - "queryName": "CloudTrail Not Integrated With CloudWatch" + "filename": "positive3.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail3", + "searchKey": "Resources.myTrail3.Properties", + "searchValue": "CloudWatchLogsRoleArn", + "expectedValue": "'Resources.myTrail3.Properties.CloudWatchLogsRoleArn' should be declared", + "actualValue": "'Resources.myTrail3.Properties.CloudWatchLogsRoleArn' is not declared", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 82, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "CloudWatchLogsLogGroupArn", + "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' should be declared", + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' is not declared", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 82, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "CloudWatchLogsRoleArn", + "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' should be declared", + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' is not declared", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 82, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "CloudWatchLogsLogGroupArn", + "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' should be declared", + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' is not declared", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 82, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "CloudWatchLogsRoleArn", + "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' should be declared", + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' is not declared", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json index c7914b58792..1f47d82e375 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", "line": 12, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail3", + "searchKey": "Resources.myTrail3.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail3.Properties.SnsTopicName' should be set", + "actualValue": "'Resources.myTrail3.Properties.SnsTopicName' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail4", + "searchKey": "Resources.myTrail4.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail4.Properties.SnsTopicName' should be set", + "actualValue": "'Resources.myTrail4.Properties.SnsTopicName' is undefined", + "issueType": "MissingAttribute" }, { - "line": 9, - "fileName": "positive2.json", "queryName": "CloudTrail SNS Topic Name Undefined", - "severity": "LOW" + "severity": "LOW", + "line": 9, + "filename": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail5", + "searchKey": "Resources.myTrail5.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail5.Properties.SnsTopicName' should be set", + "actualValue": "'Resources.myTrail5.Properties.SnsTopicName' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", "line": 23, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail6", + "searchKey": "Resources.myTrail6.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail6.Properties.SnsTopicName' should be set", + "actualValue": "'Resources.myTrail6.Properties.SnsTopicName' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/test/positive_expected_result.json index 372d5fa2709..05bbf33bad1 100644 --- a/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { + "queryName": "CloudWatch Logging Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml", - "queryName": "CloudWatch Logging Disabled" + "filename": "positive1.yaml", + "resourceType": "AWS::Route53::HostedZone", + "resourceName": "HostedZone", + "searchKey": "Resources.HostedZone3.Properties", + "searchValue": "", + "expectedValue": "Resources.HostedZone3.QueryLoggingConfig should be set", + "actualValue": "Resources.HostedZone3.QueryLoggingConfig is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Logging Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::Route53::HostedZone", + "resourceName": "HostedZone", + "searchKey": "Resources.HostedZone4.Properties", + "searchValue": "", + "expectedValue": "Resources.HostedZone4.QueryLoggingConfig should be set", + "actualValue": "Resources.HostedZone4.QueryLoggingConfig is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json index d67127722ba..89476453db0 100644 --- a/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled should be set to true", + "actualValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled is set to false", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", "line": 20, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled should be set to true", + "actualValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", "line": 25, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled should be set to true", + "actualValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", "line": 32, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled should be set to true", + "actualValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled is set to false", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings should be defined", + "actualValue": "Resources.Prod.Properties.MethodSettings is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings should be defined", + "actualValue": "Resources.Prod.Properties.MethodSettings is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled should be set to true", + "actualValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled is set to false", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", "line": 20, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled should be set to true", + "actualValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/cmk_is_unusable/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cmk_is_unusable/test/positive_expected_result.json index d1b3cd303b5..43b8a0201f8 100644 --- a/assets/queries/cloudFormation/aws/cmk_is_unusable/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cmk_is_unusable/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "CMK Is Unusable", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.Enabled", + "searchValue": "", + "expectedValue": "'Resources.myKey.Properties.Enabled' should be true", + "actualValue": "'Resources.myKey.Properties.Enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "CMK Is Unusable", "severity": "MEDIUM", "line": 30, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.PendingWindowInDays", + "searchValue": "", + "expectedValue": "'Resources.myKey2.Properties.PendingWindowInDays' should be undefined", + "actualValue": "'Resources.myKey2.Properties.PendingWindowInDays' is defined", + "issueType": "IncorrectValue" }, { "queryName": "CMK Is Unusable", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.Enabled", + "searchValue": "", + "expectedValue": "'Resources.myKey.Properties.Enabled' should be true", + "actualValue": "'Resources.myKey.Properties.Enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "CMK Is Unusable", "severity": "MEDIUM", "line": 59, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.PendingWindowInDays", + "searchValue": "", + "expectedValue": "'Resources.myKey2.Properties.PendingWindowInDays' should be undefined", + "actualValue": "'Resources.myKey2.Properties.PendingWindowInDays' is defined", + "issueType": "IncorrectValue" }, { "queryName": "CMK Is Unusable", "severity": "MEDIUM", "line": 5, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.Enabled", + "searchValue": "", + "expectedValue": "'Resources.myKey.Properties.Enabled' should be true", + "actualValue": "'Resources.myKey.Properties.Enabled' is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/cmk_rotation_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cmk_rotation_disabled/test/positive_expected_result.json index 5ebce8e3f8f..dca9e8c299b 100644 --- a/assets/queries/cloudFormation/aws/cmk_rotation_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cmk_rotation_disabled/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 5, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties", + "searchValue": "", + "expectedValue": "'Resources.myKey.Properties.EnableKeyRotation' should be defined and not null", + "actualValue": "'Resources.myKey.Properties.EnableKeyRotation' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 31, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "'Resources.myKey2.Properties.EnableKeyRotation' should be true", + "actualValue": "'Resources.myKey2.Properties.EnableKeyRotation' is false", + "issueType": "IncorrectValue" }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 5, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties", + "searchValue": "", + "expectedValue": "'Resources.myKey.Properties.EnableKeyRotation' should be defined and not null", + "actualValue": "'Resources.myKey.Properties.EnableKeyRotation' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 49, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "'Resources.myKey2.Properties.EnableKeyRotation' should be true", + "actualValue": "'Resources.myKey2.Properties.EnableKeyRotation' is false", + "issueType": "IncorrectValue" }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 7, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "'Resources.myKey2.Properties.EnableKeyRotation' should be true", + "actualValue": "'Resources.myKey2.Properties.EnableKeyRotation' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive_expected_result.json index 33a0d16b773..e9a9dfd7d04 100644 --- a/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "CMK Unencrypted Storage", "severity": "HIGH", "line": 54, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDB.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.MyDB.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CMK Unencrypted Storage", "severity": "HIGH", "line": 24, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.RDSCluster1.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute" }, { + "queryName": "CMK Unencrypted Storage", "severity": "HIGH", "line": 36, - "fileName": "positive3.yaml", - "queryName": "CMK Unencrypted Storage" + "filename": "positive3.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster-2", + "searchKey": "Resources.RDSCluster-2.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.RDSCluster-2.Properties.StorageEncrypted should be true", + "actualValue": "Resources.RDSCluster-2.Properties.StorageEncrypted is false", + "issueType": "IncorrectValue" }, { + "queryName": "CMK Unencrypted Storage", "severity": "HIGH", "line": 58, - "fileName": "positive4.json", - "queryName": "CMK Unencrypted Storage" + "filename": "positive4.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDB.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.MyDB.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CMK Unencrypted Storage", "severity": "HIGH", "line": 25, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.RDSCluster1.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute" }, { - "fileName": "positive6.json", "queryName": "CMK Unencrypted Storage", "severity": "HIGH", - "line": 37 + "line": 37, + "filename": "positive6.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster-2", + "searchKey": "Resources.RDSCluster-2.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.RDSCluster-2.Properties.StorageEncrypted should be true", + "actualValue": "Resources.RDSCluster-2.Properties.StorageEncrypted is false", + "issueType": "IncorrectValue" }, { - "fileName": "positive7.yaml", "queryName": "CMK Unencrypted Storage", "severity": "HIGH", - "line": 4 + "line": 4, + "filename": "positive7.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.myCluster.Properties.Encrypted should be defined", + "actualValue": "Resources.myCluster.Properties.Encrypted is undefined", + "issueType": "MissingAttribute" }, { - "fileName": "positive8.json", "queryName": "CMK Unencrypted Storage", "severity": "HIGH", - "line": 5 + "line": 5, + "filename": "positive8.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.myCluster.Properties.Encrypted should be defined", + "actualValue": "Resources.myCluster.Properties.Encrypted is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/codebuild_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/codebuild_not_encrypted/test/positive_expected_result.json index 7c93149d589..ea0d1f87ebb 100644 --- a/assets/queries/cloudFormation/aws/codebuild_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/codebuild_not_encrypted/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { + "queryName": "CodeBuild Not Encrypted", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml", - "queryName": "CodeBuild Not Encrypted" + "filename": "positive1.yaml", + "resourceType": "AWS::CodeBuild::Project", + "resourceName": "CodeBuildProject", + "searchKey": "Resources.CodeBuildProject.Project.Properties", + "searchValue": "", + "expectedValue": "Resources.CodeBuildProject.Project.Properties.EncryptionKey' should be defined and not null", + "actualValue": "Resources.CodeBuildProject.Project.Properties.EncryptionKey' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "CodeBuild Not Encrypted", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CodeBuild::Project", + "resourceName": "CodeBuildProject", + "searchKey": "Resources.CodeBuildProject.Project.Properties", + "searchValue": "", + "expectedValue": "Resources.CodeBuildProject.Project.Properties.EncryptionKey' should be defined and not null", + "actualValue": "Resources.CodeBuildProject.Project.Properties.EncryptionKey' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/test/positive_expected_result.json index ae5f99ba86a..b1f1a739f2d 100644 --- a/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/test/positive_expected_result.json @@ -2,25 +2,53 @@ { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 14, - "fileName": "positive1.yaml" + "line": 8, + "filename": "positive1.yaml", + "resourceType": "AWS::Cognito::UserPool", + "resourceName": "${AuthName}-user-pool", + "searchKey": "Resources.UserPool2.Properties.MfaConfiguration", + "searchValue": "", + "expectedValue": "Resources.UserPool2.Properties.MfaConfiguration should be set to ON or OPTIONAL", + "actualValue": "Resources.UserPool2.Properties.MfaConfiguration is set to OFF", + "issueType": "IncorrectValue" }, { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 8, - "fileName": "positive1.yaml" + "line": 14, + "filename": "positive1.yaml", + "resourceType": "AWS::Cognito::UserPool", + "resourceName": "${AuthName}-user-pool", + "searchKey": "Resources.UserPool4.Properties", + "searchValue": "", + "expectedValue": "Resources.UserPool4.Properties.MfaConfiguration should be set", + "actualValue": "Resources.UserPool4.Properties.MfaConfiguration is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 19, - "fileName": "positive2.json" + "line": 10, + "filename": "positive2.json", + "resourceType": "AWS::Cognito::UserPool", + "resourceName": "${AuthName}-user-pool", + "searchKey": "Resources.UserPool2.Properties.MfaConfiguration", + "searchValue": "", + "expectedValue": "Resources.UserPool2.Properties.MfaConfiguration should be set to ON or OPTIONAL", + "actualValue": "Resources.UserPool2.Properties.MfaConfiguration is set to OFF", + "issueType": "IncorrectValue" }, { + "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 10, - "fileName": "positive2.json", - "queryName": "Cognito UserPool Without MFA" + "line": 19, + "filename": "positive2.json", + "resourceType": "AWS::Cognito::UserPool", + "resourceName": "${AuthName}-user-pool", + "searchKey": "Resources.UserPool4.Properties", + "searchValue": "", + "expectedValue": "Resources.UserPool4.Properties.MfaConfiguration should be set", + "actualValue": "Resources.UserPool4.Properties.MfaConfiguration is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json index b59fb53e28f..7f607b4f463 100644 --- a/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json @@ -3,54 +3,117 @@ "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 10, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "ConfigurationAggregator1", + "searchKey": "Resources.ConfigurationAggregator1.Properties.AccountAggregationSources", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator1.Properties.AccountAggregationSources' have all configurations with AllAwsRegions", + "actualValue": "'Resources.ConfigurationAggregator1.Properties.AccountAggregationSources' has a configuration without AllAwsRegions", + "issueType": "MissingAttribute" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 21, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "ConfigurationAggregator2", + "searchKey": "Resources.ConfigurationAggregator2.Properties.AccountAggregationSources", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' have all configurations with AllAwsRegions set to true", + "actualValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' has a configuration with AllAwsRegions set to false", + "issueType": "IncorrectValue" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 33, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "MyConfigurationAggregator", + "searchKey": "Resources.ConfigurationAggregator3.Properties.OrganizationAggregationSource", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator3.Properties.OrganizationAggregationSource.AllAwsRegions' should be set", + "actualValue": "'Resources.ConfigurationAggregator3.Properties.OrganizationAggregationSource.AllAwsRegions' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 49, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "MyConfigurationAggregator", + "searchKey": "Resources.ConfigurationAggregator4.Properties.OrganizationAggregationSource.AllAwsRegions", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator4.Properties.OrganizationAggregationSource.AllAwsRegions' is true", + "actualValue": "'Resources.ConfigurationAggregator4.Properties.OrganizationAggregationSource.AllAwsRegions' is false", + "issueType": "IncorrectValue" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 6, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "MyConfigurationAggregator", + "searchKey": "Resources.ConfigurationAggregator5.Properties.AccountAggregationSources", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator5.Properties.AccountAggregationSources' have all configurations with AllAwsRegions", + "actualValue": "'Resources.ConfigurationAggregator5.Properties.AccountAggregationSources' has a configuration without AllAwsRegions", + "issueType": "MissingAttribute" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 24, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "MyConfigurationAggregator", + "searchKey": "Resources.ConfigurationAggregator6.Properties.AccountAggregationSources", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator6.Properties.AccountAggregationSources' have all configurations with AllAwsRegions set to true", + "actualValue": "'Resources.ConfigurationAggregator6.Properties.AccountAggregationSources' has a configuration with AllAwsRegions set to false", + "issueType": "IncorrectValue" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 43, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "MyConfigurationAggregator", + "searchKey": "Resources.ConfigurationAggregator7.Properties.OrganizationAggregationSource", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator7.Properties.OrganizationAggregationSource.AllAwsRegions' should be set", + "actualValue": "'Resources.ConfigurationAggregator7.Properties.OrganizationAggregationSource.AllAwsRegions' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 62, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "MyConfigurationAggregator", + "searchKey": "Resources.ConfigurationAggregator8.Properties.OrganizationAggregationSource.AllAwsRegions", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator8.Properties.OrganizationAggregationSource.AllAwsRegions' is true", + "actualValue": "'Resources.ConfigurationAggregator8.Properties.OrganizationAggregationSource.AllAwsRegions' is false", + "issueType": "IncorrectValue" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 10, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "ConfigurationAggregator2", + "searchKey": "Resources.ConfigurationAggregator2.Properties.AccountAggregationSources", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' have all configurations with AllAwsRegions set to true", + "actualValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' has a configuration with AllAwsRegions set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/test/positive_expected_result.json index 695b9f2ccc9..06bfe0e4898 100644 --- a/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Config Rule For Encrypted Volumes Disabled", "severity": "HIGH", "line": 2, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Config::ConfigRule", + "resourceName": "access-keys-rotated", + "searchKey": "Resources.ConfigRule", + "searchValue": "", + "expectedValue": "There should be a ConfigRule for encrypted volumes.", + "actualValue": "There isn't a ConfigRule for encrypted volumes.", + "issueType": "MissingAttribute" }, { - "fileName": "positive2.json", "queryName": "Config Rule For Encrypted Volumes Disabled", "severity": "HIGH", - "line": 3 + "line": 3, + "filename": "positive2.json", + "resourceType": "AWS::Config::ConfigRule", + "resourceName": "access-keys-rotated", + "searchKey": "Resources.ConfigRule", + "searchValue": "", + "expectedValue": "There should be a ConfigRule for encrypted volumes.", + "actualValue": "There isn't a ConfigRule for encrypted volumes.", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/test/positive_expected_result.json index acd66f251b2..4638d69a281 100644 --- a/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ { - "line": 13, - "fileName": "positive1.yaml", "queryName": "Connection Between CloudFront Origin Not Encrypted", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 13, + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_1", + "searchKey": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy should be 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue" }, { "queryName": "Connection Between CloudFront Origin Not Encrypted", "severity": "MEDIUM", "line": 30, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_2", + "searchKey": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy should be 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue" }, { "queryName": "Connection Between CloudFront Origin Not Encrypted", "severity": "MEDIUM", "line": 19, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_1", + "searchKey": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy should be 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue" }, { + "queryName": "Connection Between CloudFront Origin Not Encrypted", "severity": "MEDIUM", "line": 56, - "fileName": "positive2.json", - "queryName": "Connection Between CloudFront Origin Not Encrypted" + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_2", + "searchKey": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy should be 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json index efb66945b4a..a19bcdbd730 100644 --- a/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA", + "issueType": "IncorrectValue" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 7, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA", + "issueType": "IncorrectValue" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 6, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA", + "issueType": "IncorrectValue" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 7, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA", + "issueType": "IncorrectValue" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 6, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA", + "issueType": "IncorrectValue" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 7, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/test/positive_expected_result.json index c34b2aca335..432d3b71012 100644 --- a/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties.SSESpecification.SSEEnabled", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' should be set to true.", + "actualValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' is set to false.", + "issueType": "IncorrectValue" }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 8, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties.SSESpecification.SSEEnabled", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' should be set to true.", + "actualValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' is set to false.", + "issueType": "IncorrectValue" }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 7, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties.SSESpecification", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties.SSESpecification' should have SSEEnabled declared and set to true.", + "actualValue": "'Resources.daxCluster.Properties.SSESpecification' does not declare SSEEnabled.", + "issueType": "MissingAttribute" }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 6, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties' should have SSESpecification declared.", + "actualValue": "'Resources.daxCluster.Properties' does not declare SSESpecification.", + "issueType": "MissingAttribute" }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 9, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties.SSESpecification.SSEEnabled", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' should be set to true.", + "actualValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' is set to false.", + "issueType": "IncorrectValue" }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 9, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties.SSESpecification.SSEEnabled", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' should be set to true.", + "actualValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' is set to false.", + "issueType": "IncorrectValue" }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 8, - "fileName": "positive7.json" + "filename": "positive7.json", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties.SSESpecification", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties.SSESpecification' should have SSEEnabled declared and set to true.", + "actualValue": "'Resources.daxCluster.Properties.SSESpecification' does not declare SSEEnabled.", + "issueType": "MissingAttribute" }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 7, - "fileName": "positive8.json" + "filename": "positive8.json", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties' should have SSESpecification declared.", + "actualValue": "'Resources.daxCluster.Properties' does not declare SSESpecification.", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json index 14755c73640..f851558a8f3 100644 --- a/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json @@ -3,72 +3,156 @@ "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurity", + "searchKey": "Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP' should not have more than 256 hosts.", + "actualValue": "'Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP' has more than 256 hosts.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 15, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup1", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' should not have more than 256 hosts.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' has more than 256 hosts.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup2", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6' should not have more than 256 hosts.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6' has more than 256 hosts.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 7, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::RDS::DBSecurityGroupIngress", + "resourceName": "MyDBSecurityGroupIngress", + "searchKey": "Resources.MyDBSecurityGroupIngress.Properties.CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.MyDBSecurityGroupIngress.Properties.CIDRIP' should not have more than 256 hosts.", + "actualValue": "'Resources.MyDBSecurityGroupIngress.Properties.CIDRIP' has more than 256 hosts.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 13, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "StandaloneIngressIPv4", + "searchKey": "Resources.StandaloneIngressIPv4.Properties.CidrIp", + "searchValue": "", + "expectedValue": "'Resources.StandaloneIngressIPv4.Properties.CidrIp' should not have more than 256 hosts.", + "actualValue": "'Resources.StandaloneIngressIPv4.Properties.CidrIp' has more than 256 hosts.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 19, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "StandaloneIngressIPv6", + "searchKey": "Resources.StandaloneIngressIPv6.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.StandaloneIngressIPv6.Properties.CidrIpv6' should not have more than 256 hosts.", + "actualValue": "'Resources.StandaloneIngressIPv6.Properties.CidrIpv6' has more than 256 hosts.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 9, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurity", + "searchKey": "Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP' should not have more than 256 hosts.", + "actualValue": "'Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP' has more than 256 hosts.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 20, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup1", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' should not have more than 256 hosts.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' has more than 256 hosts.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 31, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup2", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6' should not have more than 256 hosts.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6' has more than 256 hosts.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 9, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::RDS::DBSecurityGroupIngress", + "resourceName": "MyDBSecurityGroupIngress", + "searchKey": "Resources.MyDBSecurityGroupIngress.Properties.CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.MyDBSecurityGroupIngress.Properties.CIDRIP' should not have more than 256 hosts.", + "actualValue": "'Resources.MyDBSecurityGroupIngress.Properties.CIDRIP' has more than 256 hosts.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 18, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "StandaloneIngressIPv4", + "searchKey": "Resources.StandaloneIngressIPv4.Properties.CidrIp", + "searchValue": "", + "expectedValue": "'Resources.StandaloneIngressIPv4.Properties.CidrIp' should not have more than 256 hosts.", + "actualValue": "'Resources.StandaloneIngressIPv4.Properties.CidrIp' has more than 256 hosts.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 27, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "StandaloneIngressIPv6", + "searchKey": "Resources.StandaloneIngressIPv6.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.StandaloneIngressIPv6.Properties.CidrIpv6' should not have more than 256 hosts.", + "actualValue": "'Resources.StandaloneIngressIPv6.Properties.CidrIpv6' has more than 256 hosts.", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json index 09e8322a452..a8522ffe940 100644 --- a/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json @@ -3,90 +3,195 @@ "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroupInline_pos1", + "searchKey": "Resources.DbSecurityByEC2SecurityGroupInline_pos1.Properties.DBSecurityGroupIngress[0].CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos1.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos1.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 20, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBSecurityGroupIngress", + "resourceName": "DbSecurityIngressRule_pos1", + "searchKey": "Resources.DbSecurityIngressRule_pos1.Properties.CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityIngressRule_pos1.Properties.CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityIngressRule_pos1.Properties.CIDRIP' is '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 32, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline_pos1", + "searchKey": "Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[0].CidrIp' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[0].CidrIp' is '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 36, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline_pos1", + "searchKey": "Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[1].CidrIpv6' should not be '::/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[1].CidrIpv6' is '::/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 52, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngress_pos1", + "searchKey": "Resources.DBEC2SecurityGroupIngress_pos1.Properties.CidrIp", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupIngress_pos1.Properties.CidrIp' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupIngress_pos1.Properties.CidrIp' is '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 61, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngressIPv6_pos1", + "searchKey": "Resources.DBEC2SecurityGroupIngressIPv6_pos1.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupIngressIPv6_pos1.Properties.CidrIpv6' should not be '0000:0000:0000:0000:0000:0000:0000:0000/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupIngressIPv6_pos1.Properties.CidrIpv6' is '0000:0000:0000:0000:0000:0000:0000:0000/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 8, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup_pos2", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup_pos2.Properties.DBSecurityGroupIngress[0].CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup_pos2.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup_pos2.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 9, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroupInline_pos3", + "searchKey": "Resources.DbSecurityByEC2SecurityGroupInline_pos3.Properties.DBSecurityGroupIngress[0].CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos3.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos3.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 26, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::RDS::DBSecurityGroupIngress", + "resourceName": "DbSecurityIngressRule_pos3", + "searchKey": "Resources.DbSecurityIngressRule_pos3.Properties.CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityIngressRule_pos3.Properties.CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityIngressRule_pos3.Properties.CIDRIP' is '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 41, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline_pos3", + "searchKey": "Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[0].CidrIp' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[0].CidrIp' is '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 47, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline_pos3", + "searchKey": "Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[1].CidrIpv6' should not be '::/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[1].CidrIpv6' is '::/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 70, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngress_pos3", + "searchKey": "Resources.DBEC2SecurityGroupIngress_pos3.Properties.CidrIp", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupIngress_pos3.Properties.CidrIp' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupIngress_pos3.Properties.CidrIp' is '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 82, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngressIPv6_pos3", + "searchKey": "Resources.DBEC2SecurityGroupIngressIPv6_pos3.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupIngressIPv6_pos3.Properties.CidrIpv6' should not be '0000:0000:0000:0000:0000:0000:0000:0000/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupIngressIPv6_pos3.Properties.CidrIpv6' is '0000:0000:0000:0000:0000:0000:0000:0000/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 9, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup_pos4", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup_pos4.Properties.DBSecurityGroupIngress[0].CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup_pos4.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup_pos4.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 8, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup_pos5", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup_pos5.Properties.DBSecurityGroupIngress[0].CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup_pos5.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup_pos5.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'.", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/default_kms_key_usage/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/default_kms_key_usage/test/positive_expected_result.json index 4df0f766fc8..556821a1290 100644 --- a/assets/queries/cloudFormation/aws/default_kms_key_usage/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/default_kms_key_usage/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Default KMS Key Usage", "severity": "MEDIUM", "line": 24, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.RDSCluster1.Properties.KmsKeyId should be defined with AWS-Managed CMK", + "actualValue": "Resources.RDSCluster1.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Default KMS Key Usage", "severity": "MEDIUM", "line": 25, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.RDSCluster1.Properties.KmsKeyId should be defined with AWS-Managed CMK", + "actualValue": "Resources.RDSCluster1.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Default KMS Key Usage", "severity": "MEDIUM", "line": 24, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.RDSCluster1.Properties.KmsKeyId should be defined with AWS-Managed CMK", + "actualValue": "Resources.RDSCluster1.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json index b90bf1cf9c9..030ab417d75 100644 --- a/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroup_ingress.Properties", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_ingress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'.", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "line": 15, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroup_egress.Properties", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_egress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'.", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "line": 11, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroupIngress.Properties.GroupId", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupIngress' rule set.", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "line": 20, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroupEgress.Properties.GroupId", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupEgress' rule set.", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "line": 5, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroup_ingress.Properties", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_ingress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'.", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "line": 20, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroup_egress.Properties", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_egress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'.", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "line": 13, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroupIngress.Properties.GroupId", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupIngress' rule set.", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "line": 25, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroupEgress.Properties.GroupId", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupEgress' rule set.", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/test/positive_expected_result.json index 208eae633ff..e2761f7bd43 100644 --- a/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/test/positive_expected_result.json @@ -2,37 +2,79 @@ { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", "severity": "HIGH", - "line": 5, - "fileName": "positive3.yaml" + "line": 14, + "filename": "positive1.yaml", + "resourceType": "AWS::DirectoryService::MicrosoftAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp-2.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp-2.Properties.Password must be defined as a parameter or have a secret manager referenced", + "actualValue": "Resources.NewAmpApp-2.Properties.Password must not be in plain text string", + "issueType": "IncorrectValue" }, { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", "severity": "HIGH", "line": 9, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::DirectoryService::MicrosoftAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp.Properties.Password must be defined as a parameter or have a secret manager referenced", + "actualValue": "Resources.NewAmpApp.Properties.Password must not be in plain text string", + "issueType": "IncorrectValue" }, { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", "severity": "HIGH", - "line": 14, - "fileName": "positive1.yaml" + "line": 5, + "filename": "positive3.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should not be defined", + "actualValue": "Parameters.ParentMasterPassword.Default is defined", + "issueType": "IncorrectValue" }, { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", "severity": "HIGH", "line": 17, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::DirectoryService::MicrosoftAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp-2.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp-2.Properties.Password must be defined as a parameter or have a secret manager referenced", + "actualValue": "Resources.NewAmpApp-2.Properties.Password must not be in plain text string", + "issueType": "IncorrectValue" }, { + "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", "severity": "HIGH", "line": 11, - "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::DirectoryService::MicrosoftAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp.Properties.Password must be defined as a parameter or have a secret manager referenced", + "actualValue": "Resources.NewAmpApp.Properties.Password must not be in plain text string", + "issueType": "IncorrectValue" }, { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", "severity": "HIGH", "line": 5, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should not be defined", + "actualValue": "Parameters.ParentMasterPassword.Default is defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/test/positive_expected_result.json index 8df12a589f9..cc1e869c1d4 100644 --- a/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/test/positive_expected_result.json @@ -1,38 +1,80 @@ [ { - "fileName": "positive3.yaml", "queryName": "Directory Service Simple AD Password Exposed", "severity": "HIGH", - "line": 5 + "line": 18, + "filename": "positive1.yaml", + "resourceType": "AWS::DirectoryService::SimpleAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp4.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp4.Properties.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp4.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { + "queryName": "Directory Service Simple AD Password Exposed", "severity": "HIGH", "line": 9, - "fileName": "positive2.yaml", - "queryName": "Directory Service Simple AD Password Exposed" + "filename": "positive2.yaml", + "resourceType": "AWS::DirectoryService::SimpleAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp5.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp5.Properties.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp5.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Directory Service Simple AD Password Exposed", "severity": "HIGH", - "line": 18, - "fileName": "positive1.yaml" + "line": 5, + "filename": "positive3.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { + "queryName": "Directory Service Simple AD Password Exposed", "severity": "HIGH", "line": 20, - "fileName": "positive4.json", - "queryName": "Directory Service Simple AD Password Exposed" + "filename": "positive4.json", + "resourceType": "AWS::DirectoryService::SimpleAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp4.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp4.Properties.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp4.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { - "fileName": "positive5.json", "queryName": "Directory Service Simple AD Password Exposed", "severity": "HIGH", - "line": 12 + "line": 12, + "filename": "positive5.json", + "resourceType": "AWS::DirectoryService::SimpleAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp5.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp5.Properties.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp5.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "Directory Service Simple AD Password Exposed", "severity": "HIGH", "line": 6, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/test/positive_expected_result.json index cb7f890e5bb..e52a9146a43 100644 --- a/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/test/positive_expected_result.json @@ -1,38 +1,80 @@ [ { - "line": 13, - "fileName": "positive1.yaml", "queryName": "DMS Endpoint MongoDB Settings Password Exposed", - "severity": "HIGH" + "severity": "HIGH", + "line": 13, + "filename": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.MasterMongoDBPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.MasterMongoDBPassword.Default should be defined", + "actualValue": "Parameters.MasterMongoDBPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { - "line": 24, - "fileName": "positive2.yaml", "queryName": "DMS Endpoint MongoDB Settings Password Exposed", - "severity": "HIGH" + "severity": "HIGH", + "line": 24, + "filename": "positive2.yaml", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "NewAmpApp5", + "searchKey": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { + "queryName": "DMS Endpoint MongoDB Settings Password Exposed", "severity": "HIGH", "line": 35, - "fileName": "positive3.yaml", - "queryName": "DMS Endpoint MongoDB Settings Password Exposed" + "filename": "positive3.yaml", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "NewAmpApp6", + "searchKey": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "DMS Endpoint MongoDB Settings Password Exposed", "severity": "HIGH", "line": 16, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.MasterMongoDBPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.MasterMongoDBPassword.Default should be defined", + "actualValue": "Parameters.MasterMongoDBPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "DMS Endpoint MongoDB Settings Password Exposed", "severity": "HIGH", "line": 26, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "NewAmpApp5", + "searchKey": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "DMS Endpoint MongoDB Settings Password Exposed", "severity": "HIGH", "line": 38, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "NewAmpApp6", + "searchKey": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/test/positive_expected_result.json index f309b51052e..fead76ad193 100644 --- a/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/test/positive_expected_result.json @@ -2,37 +2,79 @@ { "queryName": "DMS Endpoint Password Exposed", "severity": "HIGH", - "line": 5, - "fileName": "positive2.yaml" + "line": 20, + "filename": "positive1.yaml", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "DMSEndpoint4", + "searchKey": "Resources.DMSEndpoint4.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.DMSEndpoint4.Properties.Password must not be in plain text string", + "actualValue": "Resources.DMSEndpoint4.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "DMS Endpoint Password Exposed", "severity": "HIGH", - "line": 20, - "fileName": "positive1.yaml" + "line": 5, + "filename": "positive2.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "DMS Endpoint Password Exposed", "severity": "HIGH", "line": 25, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "DMSEndpoint6", + "searchKey": "Resources.DMSEndpoint6.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.DMSEndpoint6.Properties.Password must not be in plain text string", + "actualValue": "Resources.DMSEndpoint6.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "DMS Endpoint Password Exposed", "severity": "HIGH", "line": 23, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "DMSEndpoint4", + "searchKey": "Resources.DMSEndpoint4.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.DMSEndpoint4.Properties.Password must not be in plain text string", + "actualValue": "Resources.DMSEndpoint4.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "DMS Endpoint Password Exposed", "severity": "HIGH", "line": 6, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "DMS Endpoint Password Exposed", "severity": "HIGH", "line": 26, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "DMSEndpoint6", + "searchKey": "Resources.DMSEndpoint6.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.DMSEndpoint6.Properties.Password must not be in plain text string", + "actualValue": "Resources.DMSEndpoint6.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/test/positive_expected_result.json index da879bc197f..23a323d6676 100644 --- a/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/test/positive_expected_result.json @@ -1,38 +1,80 @@ [ { + "queryName": "DocDB Cluster Master Password In Plaintext", "severity": "HIGH", - "line": 5, - "fileName": "positive2.yaml", - "queryName": "DocDB Cluster Master Password In Plaintext" + "line": 12, + "filename": "positive1.yaml", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp.Properties.MasterUserPassword", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp.Properties.MasterUserPassword must not be in plain text string", + "actualValue": "Resources.NewAmpApp.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "DocDB Cluster Master Password In Plaintext", "severity": "HIGH", - "line": 12, - "fileName": "positive1.yaml" + "line": 5, + "filename": "positive2.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "DocDB Cluster Master Password In Plaintext", "severity": "HIGH", "line": 12, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "NewAmpApp03", + "searchKey": "Resources.NewAmpApp03.Properties.MasterUserPassword", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must not be in plain text string", + "actualValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { + "queryName": "DocDB Cluster Master Password In Plaintext", "severity": "HIGH", "line": 17, - "fileName": "positive4.json", - "queryName": "DocDB Cluster Master Password In Plaintext" + "filename": "positive4.json", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp.Properties.MasterUserPassword", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp.Properties.MasterUserPassword must not be in plain text string", + "actualValue": "Resources.NewAmpApp.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" }, { "queryName": "DocDB Cluster Master Password In Plaintext", "severity": "HIGH", "line": 6, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined", + "issueType": "IncorrectValue" }, { "queryName": "DocDB Cluster Master Password In Plaintext", "severity": "HIGH", "line": 18, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "NewAmpApp03", + "searchKey": "Resources.NewAmpApp03.Properties.MasterUserPassword", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must not be in plain text string", + "actualValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json index ffbae5321d4..d70ea07d4e7 100644 --- a/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "MyDocDBCluster", + "searchKey": "Resources.MyDocDBCluster.Properties", + "searchValue": "", + "expectedValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should be defined", + "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports is undefined", + "issueType": "MissingAttribute" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 15, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "MyDocDBCluster", + "searchKey": "Resources.MyDocDBCluster.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should have all following values: audit, profiler", + "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports haven't got the following values: audit, profiler", + "issueType": "IncorrectValue" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 15, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "MyDocDBCluster", + "searchKey": "Resources.MyDocDBCluster.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should have all following values: audit, profiler", + "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports haven't got the following values: audit", + "issueType": "IncorrectValue" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 14, - "filename": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "MyDocDBCluster", + "searchKey": "Resources.MyDocDBCluster.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should have all following values: audit, profiler", + "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports haven't got the following values: profiler", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json index ca734781071..098b7d85240 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", "line": 18, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "my-table", + "searchKey": "Resources.MyDynamoDBTable.Properties.SSESpecification.SSEEnabled", + "searchValue": "", + "expectedValue": "Resources[MyDynamoDBTable].Properties.SSESpecification.SSEEnabled should be 'true'", + "actualValue": "Resources[MyDynamoDBTable].Properties.SSESpecification.SSEEnabled is 'false'", + "issueType": "IncorrectValue" }, { "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", "line": 17, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "my-table", + "searchKey": "Resources.MyDynamoDBTable.Properties.SSESpecification", + "searchValue": "", + "expectedValue": "Resources[MyDynamoDBTable].Properties.SSESpecification.SSEEnabled should be set and to 'true'", + "actualValue": "Resources[MyDynamoDBTable].Properties.SSESpecification.SSEEnabled is not set", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", "line": 8, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "AuthorsTable_prod", + "searchKey": "Resources.OrdersTable.Properties.SSESpecification.SSEEnabled", + "searchValue": "", + "expectedValue": "Resources[OrdersTable].Properties.SSESpecification.SSEEnabled should be 'true'", + "actualValue": "Resources[OrdersTable].Properties.SSESpecification.SSEEnabled is 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json index 6b9c1de7eae..56e6d90a739 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 6, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "MyDynamoDBTable", + "searchKey": "Resources.MyDynamoDBTable.Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled", + "searchValue": "", + "expectedValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be set to 'true'", + "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 4, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "my-table", + "searchKey": "Resources.MyDynamoDBTable.Properties", + "searchValue": "", + "expectedValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", + "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification is not defined", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 8, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "DynamoDBOnDemandTable1", + "searchKey": "Resources.DynamoDBOnDemandTable1.Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled", + "searchValue": "", + "expectedValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be set to 'true'", + "actualValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 5, - "filename": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "DynamoDBOnDemandTable1", + "searchKey": "Resources.DynamoDBOnDemandTable1.Properties", + "searchValue": "", + "expectedValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", + "actualValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification is not defined", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 5, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "MyDynamoDBTable", + "searchKey": "Resources.MyDynamoDBTable.Properties.PointInTimeRecoverySpecification", + "searchValue": "", + "expectedValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", + "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is not defined", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 7, - "filename": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "DynamoDBOnDemandTable1", + "searchKey": "Resources.DynamoDBOnDemandTable1.Properties.PointInTimeRecoverySpecification", + "searchValue": "", + "expectedValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", + "actualValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is not defined", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 6, - "filename": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "MyDynamoDBTable", + "searchKey": "Resources.MyDynamoDBTable.Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled", + "searchValue": "", + "expectedValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be set to 'true'", + "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is set to 'false'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/test/positive_expected_result.json index 9e900553ca0..eb93f862202 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/test/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "dynamodb-kms-0", + "searchKey": "Resources.DynamoDBOnDemandTable2.properties;", + "searchValue": "", + "expectedValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled should be true", + "actualValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled is false", + "issueType": "IncorrectValue" }, { "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", "line": 4, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "dynamodb-kms-3", + "searchKey": "Resources.DynamoDBOnDemandTable5.properties;", + "searchValue": "", + "expectedValue": "Resources.DynamoDBOnDemandTable5.properties.SSESpecification should be set", + "actualValue": "Resources.DynamoDBOnDemandTable5.properties.SSESpecification is undefined", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", "line": 4, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "dynamodb-kms-2", + "searchKey": "Resources.DynamoDBOnDemandTable4.properties;", + "searchValue": "", + "expectedValue": "Resources.DynamoDBOnDemandTable4.properties.SSESpecification.SSEEnabled should be set", + "actualValue": "Resources.DynamoDBOnDemandTable4.properties.SSESpecification.SSEEnabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", "line": 5, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "dynamodb-kms-0", + "searchKey": "Resources.DynamoDBOnDemandTable2.properties;", + "searchValue": "", + "expectedValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled should be true", + "actualValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled is false", + "issueType": "IncorrectValue" }, { "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", "line": 4, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "dynamodb-kms-2", + "searchKey": "Resources.DynamoDBOnDemandTable4.properties;", + "searchValue": "", + "expectedValue": "Resources.DynamoDBOnDemandTable4.properties.SSESpecification.SSEEnabled should be set", + "actualValue": "Resources.DynamoDBOnDemandTable4.properties.SSESpecification.SSEEnabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", "line": 5, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "dynamodb-kms-3", + "searchKey": "Resources.DynamoDBOnDemandTable5.properties;", + "searchValue": "", + "expectedValue": "Resources.DynamoDBOnDemandTable5.properties.SSESpecification should be set", + "actualValue": "Resources.DynamoDBOnDemandTable5.properties.SSESpecification is undefined", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", "line": 4, - "fileName": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "dynamodb-kms-0", + "searchKey": "Resources.DynamoDBOnDemandTable2.properties;", + "searchValue": "", + "expectedValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled should be true", + "actualValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/test/positive_expected_result.json index 9d6b05aba69..185780e0414 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "DynamoDB With Not Recommended Table Billing Mode", "severity": "LOW", "line": 13, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "myTableName", + "searchKey": "Resources.myDynamoDBTable.Properties.BillingMode", + "searchValue": "", + "expectedValue": "Resources.myDynamoDBTable.Properties.BillingMode should not be 'PROVISIONED' or 'PAY_PER_REQUEST'", + "actualValue": "Resources.myDynamoDBTable.Properties.BillingMode is 'PROVISIONED' or 'PAY_PER_REQUEST'", + "issueType": "IncorrectValue" }, { "queryName": "DynamoDB With Not Recommended Table Billing Mode", "severity": "LOW", "line": 16, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "myTableName", + "searchKey": "Resources.myDynamoDBTable.Properties.BillingMode", + "searchValue": "", + "expectedValue": "Resources.myDynamoDBTable.Properties.BillingMode should not be 'PROVISIONED' or 'PAY_PER_REQUEST'", + "actualValue": "Resources.myDynamoDBTable.Properties.BillingMode is 'PROVISIONED' or 'PAY_PER_REQUEST'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json index 79ec37039ae..9ef17e0a7c6 100644 --- a/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume", + "searchKey": "Resources.NewVolume.Properties.Encrypted", + "searchValue": "", + "expectedValue": "Resources.NewVolume.Properties.Encrypted should be true", + "actualValue": "Resources.NewVolume.Properties.Encrypted is false", + "issueType": "IncorrectValue" }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", "line": 6, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume02", + "searchKey": "Resources.NewVolume02.Properties", + "searchValue": "", + "expectedValue": "Resources.NewVolume02.Properties.Encrypted should be defined and not null", + "actualValue": "Resources.NewVolume02.Properties.Encrypted is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", "line": 15, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume", + "searchKey": "Resources.NewVolume.Properties.Encrypted", + "searchValue": "", + "expectedValue": "Resources.NewVolume.Properties.Encrypted should be true", + "actualValue": "Resources.NewVolume.Properties.Encrypted is false", + "issueType": "IncorrectValue" }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", "line": 6, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume02", + "searchKey": "Resources.NewVolume02.Properties", + "searchValue": "", + "expectedValue": "Resources.NewVolume02.Properties.Encrypted should be defined and not null", + "actualValue": "Resources.NewVolume02.Properties.Encrypted is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", "line": 8, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume", + "searchKey": "Resources.NewVolume.Properties.Encrypted", + "searchValue": "", + "expectedValue": "Resources.NewVolume.Properties.Encrypted should be true", + "actualValue": "Resources.NewVolume.Properties.Encrypted is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test/positive_expected_result.json index f16e1565d8e..bdf6c6ad336 100644 --- a/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "EBS Volume Not Attached To Instances", "severity": "LOW", "line": 3, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "'Resources.NewVolume' should be attached to instances", + "actualValue": "'Resources.NewVolume' is not attached to instances", + "issueType": "MissingAttribute" }, { "queryName": "EBS Volume Not Attached To Instances", "severity": "LOW", "line": 4, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "'Resources.NewVolume' should be attached to instances", + "actualValue": "'Resources.NewVolume' is not attached to instances", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/test/positive_expected_result.json index fffab5be473..ec4990023d2 100644 --- a/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "EBS Volume Without KmsKeyId", "severity": "LOW", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume", + "searchKey": "Resources.NewVolume.Properties", + "searchValue": "", + "expectedValue": "Resources.NewVolume.Properties.KmsKeyId should be defined", + "actualValue": "Resources.NewVolume.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute" }, { - "line": 7, - "fileName": "positive2.json", "queryName": "EBS Volume Without KmsKeyId", - "severity": "LOW" + "severity": "LOW", + "line": 7, + "filename": "positive2.json", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume", + "searchKey": "Resources.NewVolume.Properties", + "searchValue": "", + "expectedValue": "Resources.NewVolume.Properties.KmsKeyId should be defined", + "actualValue": "Resources.NewVolume.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/test/positive_expected_result.json index 3b88d058195..b3618f9b926 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/test/positive_expected_result.json @@ -3,54 +3,117 @@ "queryName": "EC2 Instance Has No IAM Role", "severity": "MEDIUM", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.NoIAM.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoIAM.Properties.IamInstanceProfile' should be set", + "actualValue": "'Resources.NoIAM.Properties.IamInstanceProfile' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Has No IAM Role", "severity": "MEDIUM", "line": 29, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.IAM_Missing.Properties.IamInstanceProfile", + "searchValue": "", + "expectedValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' should have a matching IamInstanceProfile resource", + "actualValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' does not have matching IamInstanceProfile resource", + "issueType": "MissingAttribute" }, { + "queryName": "EC2 Instance Has No IAM Role", "severity": "MEDIUM", "line": 55, - "fileName": "positive1.yaml", - "queryName": "EC2 Instance Has No IAM Role" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.NoRolesProfile.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoRolesProfile.Properties.Roles' should be set", + "actualValue": "'Resources.NoRolesProfile.Properties.Roles' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Has No IAM Role", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.NoIAM.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoIAM.Properties.IamInstanceProfile' should be set", + "actualValue": "'Resources.NoIAM.Properties.IamInstanceProfile' is undefined", + "issueType": "MissingAttribute" }, { - "line": 47, - "fileName": "positive2.json", "queryName": "EC2 Instance Has No IAM Role", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 47, + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.IAM_Missing.Properties.IamInstanceProfile", + "searchValue": "", + "expectedValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' should have a matching IamInstanceProfile resource", + "actualValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' does not have matching IamInstanceProfile resource", + "issueType": "MissingAttribute" }, { - "fileName": "positive2.json", "queryName": "EC2 Instance Has No IAM Role", "severity": "MEDIUM", - "line": 94 + "line": 94, + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.NoRolesProfile.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoRolesProfile.Properties.Roles' should be set", + "actualValue": "'Resources.NoRolesProfile.Properties.Roles' is undefined", + "issueType": "MissingAttribute" }, { - "line": 53, - "fileName": "positive3.yaml", "queryName": "EC2 Instance Has No IAM Role", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 4, + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.NoIAM.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoIAM.Properties.IamInstanceProfile' should be set", + "actualValue": "'Resources.NoIAM.Properties.IamInstanceProfile' is undefined", + "issueType": "MissingAttribute" }, { - "line": 4, - "fileName": "positive3.yaml", "queryName": "EC2 Instance Has No IAM Role", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 29, + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.IAM_Missing.Properties.IamInstanceProfile", + "searchValue": "", + "expectedValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' should have a matching IamInstanceProfile resource", + "actualValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' does not have matching IamInstanceProfile resource", + "issueType": "MissingAttribute" }, { - "line": 29, - "fileName": "positive3.yaml", "queryName": "EC2 Instance Has No IAM Role", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 53, + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.NoRolesProfile.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoRolesProfile.Properties.Roles' should be set", + "actualValue": "'Resources.NoRolesProfile.Properties.Roles' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json index 98e34e6fa58..a7a731fb01a 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.Monitoring", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.Monitoring' should be set to 'true'", + "actualValue": "'Resources.MyEC2Instance.Properties.Monitoring' is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 4, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.Monitoring", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.Monitoring' should be set and to 'true'", + "actualValue": "'Resources.MyEC2Instance.Properties.Monitoring' is not set", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.Monitoring", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.Monitoring' should be set to 'true'", + "actualValue": "'Resources.MyEC2Instance.Properties.Monitoring' is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/test/positive_expected_result.json index 95bff5b59c4..71a35e67bde 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "EC2 Instance Subnet Has Public IP Mapping On Launch", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Subnet", + "resourceName": "mySubnet", + "searchKey": "Resources.mySubnet.Properties.MapPublicIpOnLaunch", + "searchValue": "", + "expectedValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' should be false", + "actualValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' is true", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Subnet Has Public IP Mapping On Launch", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::Subnet", + "resourceName": "mySubnet", + "searchKey": "Resources.mySubnet.Properties.MapPublicIpOnLaunch", + "searchValue": "", + "expectedValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' should be false", + "actualValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' is true", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Subnet Has Public IP Mapping On Launch", "severity": "MEDIUM", "line": 7, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::Subnet", + "resourceName": "mySubnet", + "searchKey": "Resources.mySubnet.Properties.MapPublicIpOnLaunch", + "searchValue": "", + "expectedValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' should be false", + "actualValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json index 21e8b9adb1c..caae1aa760b 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "EC2 Instance Using Default Security Group", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.SecurityGroups", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.SecurityGroups' should not be using default security group", + "actualValue": "'Resources.MyEC2Instance.Properties.SecurityGroups' is using default security group", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Using Default Security Group", "severity": "MEDIUM", "line": 23, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.SecurityGroups", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.SecurityGroups' should not be using default security group", + "actualValue": "'Resources.MyEC2Instance.Properties.SecurityGroups' is using default security group", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json index 13ad6579c84..00fe838751b 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "EC2 Instance Using Default VPC", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "DefaultVPC", + "searchKey": "Resources.DefaultVPC.Properties.SubnetId", + "searchValue": "", + "expectedValue": "Resources.DefaultVPC.Properties.SubnetId should not be associated with a default VPC", + "actualValue": "Resources.DefaultVPC.Properties.SubnetId is associated with a default VPC", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Using Default VPC", "severity": "LOW", "line": 7, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "DefaultVPC", + "searchKey": "Resources.DefaultVPC.Properties.SubnetId", + "searchValue": "", + "expectedValue": "Resources.DefaultVPC.Properties.SubnetId should not be associated with a default VPC", + "actualValue": "Resources.DefaultVPC.Properties.SubnetId is associated with a default VPC", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/test/positive_expected_result.json index 76b37110772..c69b13e36c3 100644 --- a/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/test/positive_expected_result.json @@ -1,50 +1,106 @@ [ { + "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", "line": 12, - "fileName": "positive1.yaml", - "queryName": "EC2 Network ACL Duplicate Rule" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.InboundRule' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.InboundRule' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue" }, { + "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", "line": 25, - "fileName": "positive1.yaml", - "queryName": "EC2 Network ACL Duplicate Rule" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.OutboundRule' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", "line": 39, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule2", + "searchKey": "Resources.InboundRule2.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.InboundRule2' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.InboundRule2' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", "line": 52, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule2", + "searchKey": "Resources.OutboundRule2.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule2' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.OutboundRule2' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue" }, { - "line": 33, - "fileName": "positive2.json", "queryName": "EC2 Network ACL Duplicate Rule", - "severity": "INFO" + "severity": "INFO", + "line": 23, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.InboundRule' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.InboundRule' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", - "line": 71, - "fileName": "positive2.json" + "line": 33, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.OutboundRule' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", - "line": 23, - "fileName": "positive2.json" + "line": 57, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule2", + "searchKey": "Resources.InboundRule2.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.InboundRule2' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.InboundRule2' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", - "line": 57, - "fileName": "positive2.json" + "line": 71, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule2", + "searchKey": "Resources.OutboundRule2.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule2' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.OutboundRule2' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/test/positive_expected_result.json index d21807992f5..06f51235b15 100644 --- a/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "EC2 Network ACL Ineffective Denied Traffic", "severity": "MEDIUM", "line": 17, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.CidrBlock", + "searchValue": "", + "expectedValue": "Traffic denial should be effective (Action is 'Deny' when CidrBlock is '0.0.0.0/0')%!(EXTRA string=InboundRule)", + "actualValue": "Traffic denial is ineffective (Action is 'Deny' when CidrBlock is different from '0.0.0.0/0'%!(EXTRA string=InboundRule)", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Ineffective Denied Traffic", "severity": "MEDIUM", "line": 20, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.CidrBlock", + "searchValue": "", + "expectedValue": "Traffic denial should be effective (Action is 'Deny' when CidrBlock is '0.0.0.0/0')%!(EXTRA string=InboundRule)", + "actualValue": "Traffic denial is ineffective (Action is 'Deny' when CidrBlock is different from '0.0.0.0/0'%!(EXTRA string=InboundRule)", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/test/positive_expected_result.json index 07ad254cb0d..31300335262 100644 --- a/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/test/positive_expected_result.json @@ -2,73 +2,157 @@ { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 78, - "fileName": "positive1.yaml" + "line": 18, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.InboundRule.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.InboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 90, - "fileName": "positive1.yaml" + "line": 30, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.OutboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 18, - "fileName": "positive1.yaml" + "line": 42, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundTests", + "searchKey": "Resources.OutboundTests.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.OutboundTests.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.OutboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" }, { - "fileName": "positive1.yaml", "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 30 + "line": 54, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundTests", + "searchKey": "Resources.InboundTests.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.InboundTests.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.InboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" }, { + "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 42, - "fileName": "positive1.yaml", - "queryName": "EC2 Network ACL Overlapping Ports" + "line": 78, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "Match", + "searchKey": "Resources.Match.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.Match.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.Match.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 54, - "fileName": "positive1.yaml" + "line": 90, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "EqualMatch", + "searchKey": "Resources.EqualMatch.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.EqualMatch.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.EqualMatch.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 73, - "fileName": "positive2.json" + "line": 22, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "Match", + "searchKey": "Resources.Match.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.Match.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.Match.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" }, { - "line": 116, - "fileName": "positive2.json", "queryName": "EC2 Network ACL Overlapping Ports", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 38, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "EqualMatch", + "searchKey": "Resources.EqualMatch.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.EqualMatch.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.EqualMatch.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 22, - "fileName": "positive2.json" + "line": 73, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.InboundRule.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.InboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" }, { - "line": 82, - "fileName": "positive2.json", "queryName": "EC2 Network ACL Overlapping Ports", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 82, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.OutboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" }, { - "line": 105, - "fileName": "positive2.json", "queryName": "EC2 Network ACL Overlapping Ports", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 105, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundTests", + "searchKey": "Resources.OutboundTests.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.OutboundTests.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.OutboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 38, - "fileName": "positive2.json" + "line": 116, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundTests", + "searchKey": "Resources.InboundTests.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.InboundTests.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.InboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/test/positive_expected_result.json index 53aad6fca47..207d0de991a 100644 --- a/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/test/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", + "searchValue": "", + "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", + "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true.", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 5, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", + "searchValue": "", + "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", + "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true.", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 16, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", + "searchValue": "", + "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", + "actualValue": "Resources.MyEC2Instance.Properties.EbsOptimized is set to false.", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 23, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", + "searchValue": "", + "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", + "actualValue": "Resources.MyEC2Instance.Properties.EbsOptimized is set to false.", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 4, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", + "searchValue": "", + "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", + "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true.", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 5, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", + "searchValue": "", + "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", + "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true.", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 16, - "fileName": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", + "searchValue": "", + "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", + "actualValue": "Resources.MyEC2Instance.Properties.EbsOptimized is set to false.", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/test/positive_expected_result.json index 4e0fafdad8d..94c8d1fa2e5 100644 --- a/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "EC2 Permissive Network ACL Protocols", "severity": "MEDIUM", "line": 17, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.Protocol", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule.Properties.Protocol' should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)", + "actualValue": "'Resources.OutboundRule.Properties.Protocol' is configured with a protocol different than 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)", + "issueType": "IncorrectValue" }, { + "queryName": "EC2 Permissive Network ACL Protocols", "severity": "MEDIUM", "line": 24, - "fileName": "positive2.json", - "queryName": "EC2 Permissive Network ACL Protocols" + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.Protocol", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule.Properties.Protocol' should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)", + "actualValue": "'Resources.OutboundRule.Properties.Protocol' is configured with a protocol different than 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/test/positive_expected_result.json index 5f3620a8431..07a1d5d2d19 100644 --- a/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { - "fileName": "positive1.yaml", "queryName": "EC2 Public Instance Exposed Through Subnet", "severity": "MEDIUM", - "line": 28 + "line": 28, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Ec2Instance", + "searchKey": "Resources.mySubnet", + "searchValue": "", + "expectedValue": "Resources.mySubnet should be a private subnet", + "actualValue": "Resources.mySubnet has a route for unrestricted internet traffic", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Public Instance Exposed Through Subnet", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Ec2Instance", + "searchKey": "Resources.mySubnet", + "searchValue": "", + "expectedValue": "Resources.mySubnet should be a private subnet", + "actualValue": "Resources.mySubnet has a route for unrestricted internet traffic", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json index 0adf53057a5..132c97afda8 100644 --- a/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json @@ -3,1092 +3,2366 @@ "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 21, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 31, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 41, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 49, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:389", + "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:389", + "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:161", + "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:110", + "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:53", + "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:161", + "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:20", + "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 70, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 80, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 84, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 20, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 29, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 38, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress3.Properties", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 47, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress4.Properties", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 57, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 66, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 75, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 84, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress4.Properties", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 25, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 39, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 53, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 65, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:161", + "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:389", + "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:161", + "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:110", + "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:53", + "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:20", + "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:389", + "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 93, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 107, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 113, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 24, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 34, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 44, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress3.Properties", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 54, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress4.Properties", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 64, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 74, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 84, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 94, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress4.Properties", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json index d6ad7efe073..33e120f391a 100644 --- a/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "ECR Image Tag Not Immutable", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository3.Properties.ImageTagMutability", + "searchValue": "", + "expectedValue": "Resources.MyRepository3.Properties.ImageTagMutability should be 'IMMUTABLE'", + "actualValue": "Resources.MyRepository3.Properties.ImageTagMutability is 'MUTABLE'", + "issueType": "IncorrectValue" }, { "queryName": "ECR Image Tag Not Immutable", "severity": "MEDIUM", "line": 27, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository4.Properties", + "searchValue": "", + "expectedValue": "Resources.MyRepository4.Properties.ImageTagMutability should be defined and not null", + "actualValue": "Resources.MyRepository4.Properties.ImageTagMutability is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ECR Image Tag Not Immutable", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository5.Properties.ImageTagMutability", + "searchValue": "", + "expectedValue": "Resources.MyRepository5.Properties.ImageTagMutability should be 'IMMUTABLE'", + "actualValue": "Resources.MyRepository5.Properties.ImageTagMutability is 'MUTABLE'", + "issueType": "IncorrectValue" }, { "queryName": "ECR Image Tag Not Immutable", "severity": "MEDIUM", "line": 36, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository6.Properties", + "searchValue": "", + "expectedValue": "Resources.MyRepository6.Properties.ImageTagMutability should be defined and not null", + "actualValue": "Resources.MyRepository6.Properties.ImageTagMutability is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json index 9118d4b848e..a2b23f94972 100644 --- a/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "ECR Repository Is Publicly Accessible", "severity": "CRITICAL", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository3.Properties.RepositoryPolicyText", + "searchValue": "", + "expectedValue": "Resources.MyRepository3.Properties.RepositoryPolicyText.Statement.Principal shouldn't contain '*'", + "actualValue": "Resources.MyRepository3.Properties.RepositoryPolicyText.Statement.Principal contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "ECR Repository Is Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository4.Properties.RepositoryPolicyText", + "searchValue": "", + "expectedValue": "Resources.MyRepository4.Properties.RepositoryPolicyText.Statement.Principal shouldn't contain '*'", + "actualValue": "Resources.MyRepository4.Properties.RepositoryPolicyText.Statement.Principal contains '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/test/positive_expected_result.json index 951a94d2d37..79dc6a92c51 100644 --- a/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/test/positive_expected_result.json @@ -3,60 +3,130 @@ "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", "line": 6, - "fileName": "positive1.json" + "filename": "positive1.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository.Properties", + "searchValue": "", + "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration should be defined and not null", + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 12, - "fileName": "positive2.json" + "line": 8, + "filename": "positive10.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "ecrepo", + "searchKey": "Resources.ecrepo.Properties.EncryptionConfiguration", + "searchValue": "", + "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration.KmsKey should be defined and not null", + "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration.KmsKey is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", "line": 12, - "fileName": "positive3.json" + "filename": "positive2.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType", + "searchValue": "", + "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType should be 'KMS_DSSE' or 'KMS'", + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType is 'AES256'", + "issueType": "IncorrectValue" }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 11, - "fileName": "positive4.json" + "line": 12, + "filename": "positive3.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType", + "searchValue": "", + "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType should be 'KMS_DSSE' or 'KMS'", + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType is 'AES256'", + "issueType": "IncorrectValue" }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", "line": 11, - "fileName": "positive5.json" + "filename": "positive4.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository.Properties.EncryptionConfiguration", + "searchValue": "", + "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey should be defined and not null", + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey is undefined or null", + "issueType": "MissingAttribute" }, - { + { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 5, - "fileName": "positive6.yaml" + "line": 11, + "filename": "positive5.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository.Properties.EncryptionConfiguration", + "searchValue": "", + "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey should be defined and not null", + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 9, - "fileName": "positive7.yaml" + "line": 5, + "filename": "positive6.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "ecrepo", + "searchKey": "Resources.ecrepo.Properties", + "searchValue": "", + "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration should be defined and not null", + "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", "line": 9, - "fileName": "positive8.yaml" + "filename": "positive7.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "ecrepo", + "searchKey": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType", + "searchValue": "", + "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType should be 'KMS_DSSE' or 'KMS'", + "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType is 'AES256'", + "issueType": "IncorrectValue" }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 8, - "fileName": "positive9.yaml" + "line": 9, + "filename": "positive8.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "ecrepo", + "searchKey": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType", + "searchValue": "", + "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType should be 'KMS_DSSE' or 'KMS'", + "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType is 'AES256'", + "issueType": "IncorrectValue" }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", "line": 8, - "fileName": "positive10.yaml" + "filename": "positive9.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "ecrepo", + "searchKey": "Resources.ecrepo.Properties.EncryptionConfiguration", + "searchValue": "", + "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration.KmsKey should be defined and not null", + "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration.KmsKey is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json index cd03c0a5a7c..bd8524ac5eb 100644 --- a/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Cluster", + "resourceName": "ECSCluster", + "searchKey": "Resources.ECSCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.ECSCluster.Properties.ClusterSettings should be defined and have a ClusterSetting named containerInsights which value is 'enabled'", + "actualValue": "Resources.ECSCluster.Properties.ClusterSettings is not defined", + "issueType": "MissingAttribute" }, { + "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", "line": 7, - "fileName": "positive2.json", - "queryName": "ECS Cluster with Container Insights Disabled" + "filename": "positive2.json", + "resourceType": "AWS::ECS::Cluster", + "resourceName": "ECSCluster", + "searchKey": "Resources.ECSCluster.Properties.ClusterSettings", + "searchValue": "", + "expectedValue": "Resources.ECSCluster.Properties.ClusterSettings should have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "actualValue": "Resources.ECSCluster.Properties.ClusterSettings hasn't got a ClusterSetting named 'containerInsights' which value is 'enabled'", + "issueType": "IncorrectValue" }, { + "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", "line": 7, - "fileName": "positive3.json", - "queryName": "ECS Cluster with Container Insights Disabled" + "filename": "positive3.json", + "resourceType": "AWS::ECS::Cluster", + "resourceName": "ECSCluster", + "searchKey": "Resources.ECSCluster.Properties.ClusterSettings", + "searchValue": "", + "expectedValue": "Resources.ECSCluster.Properties.ClusterSettings should have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "actualValue": "Resources.ECSCluster.Properties.ClusterSettings hasn't got a ClusterSetting named 'containerInsights' which value is 'enabled'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive_expected_result.json index acd4c922ed6..29822fd55ab 100644 --- a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "ECS Cluster Not Encrypted At Rest", "severity": "HIGH", "line": 37, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "service", + "searchKey": "Resources.taskdefinition.Properties.Volumes", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" }, { + "queryName": "ECS Cluster Not Encrypted At Rest", "severity": "HIGH", "line": 26, - "fileName": "positive2.yaml", - "queryName": "ECS Cluster Not Encrypted At Rest" + "filename": "positive2.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "service", + "searchKey": "Resources.taskdefinition1", + "searchValue": "", + "expectedValue": "Resources.taskdefinition1 should be defined", + "actualValue": "Resources.taskdefinition1 is not defined.", + "issueType": "MissingAttribute" }, { + "queryName": "ECS Cluster Not Encrypted At Rest", "severity": "HIGH", "line": 122, - "fileName": "positive3.json", - "queryName": "ECS Cluster Not Encrypted At Rest" + "filename": "positive3.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "service", + "searchKey": "Resources.taskdefinition.Properties.Volumes", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" }, { "queryName": "ECS Cluster Not Encrypted At Rest", "severity": "HIGH", "line": 54, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "service", + "searchKey": "Resources.taskdefinition1", + "searchValue": "", + "expectedValue": "Resources.taskdefinition1 should be defined", + "actualValue": "Resources.taskdefinition1 is not defined.", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/test/positive_expected_result.json index 380d9611400..3c4bb42d9d5 100644 --- a/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "ECS No Load Balancer Attached", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService", + "searchKey": "Resources.ECSService.Properties", + "searchValue": "", + "expectedValue": "'Resources.ECSService.Properties.LoadBalancers' should be defined", + "actualValue": "'Resources.ECSService.Properties.LoadBalancers' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "ECS No Load Balancer Attached", "severity": "MEDIUM", "line": 25, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService2", + "searchKey": "Resources.ECSService2.Properties.LoadBalancers", + "searchValue": "", + "expectedValue": "'Resources.ECSService2.Properties.LoadBalancers' should not be empty", + "actualValue": "'Resources.ECSService2.Properties.LoadBalancers' is empty", + "issueType": "IncorrectValue" }, { "queryName": "ECS No Load Balancer Attached", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService", + "searchKey": "Resources.ECSService.Properties", + "searchValue": "", + "expectedValue": "'Resources.ECSService.Properties.LoadBalancers' should be defined", + "actualValue": "'Resources.ECSService.Properties.LoadBalancers' is not defined", + "issueType": "MissingAttribute" }, { + "queryName": "ECS No Load Balancer Attached", "severity": "MEDIUM", "line": 27, - "fileName": "positive2.json", - "queryName": "ECS No Load Balancer Attached" + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService2", + "searchKey": "Resources.ECSService2.Properties.LoadBalancers", + "searchValue": "", + "expectedValue": "'Resources.ECSService2.Properties.LoadBalancers' should not be empty", + "actualValue": "'Resources.ECSService2.Properties.LoadBalancers' is empty", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json index 54d894980d7..9f204df6100 100644 --- a/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "ECS Service Admin Role Is Present", "severity": "HIGH", "line": 87, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "ServiceName", + "searchKey": "Resources.service.Properties.Role", + "searchValue": "", + "expectedValue": "Resources.service.Properties.Role should not be an admin role", + "actualValue": "Resources.service.Properties.Role is an admin role", + "issueType": "IncorrectValue" }, { "queryName": "ECS Service Admin Role Is Present", "severity": "HIGH", "line": 66, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "ServiceName", + "searchKey": "Resources.service.Properties.Role", + "searchValue": "", + "expectedValue": "Resources.service.Properties.Role should not be an admin role", + "actualValue": "Resources.service.Properties.Role is an admin role", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/test/positive_expected_result.json index 565c78ce282..55fe694d307 100644 --- a/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { - "fileName": "positive1.yaml", "queryName": "ECS Service Without Running Tasks", "severity": "LOW", - "line": 64 + "line": 64, + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "ServiceName", + "searchKey": "Resources.service.Properties", + "searchValue": "", + "expectedValue": "Resources.service.Properties.DeploymentConfiguration should be defined and not null", + "actualValue": "Resources.service.Properties.DeploymentConfiguration is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ECS Service Without Running Tasks", "severity": "LOW", "line": 152, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "ServiceName", + "searchKey": "Resources.service.Properties", + "searchValue": "", + "expectedValue": "Resources.service.Properties.DeploymentConfiguration should be defined and not null", + "actualValue": "Resources.service.Properties.DeploymentConfiguration is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json index 00b22e5a9dd..680e89da06c 100644 --- a/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { + "queryName": "ECS Services assigned with public IP address", "severity": "MEDIUM", "line": 54, - "queryName": "ECS Services assigned with public IP address", - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "cfn-service", + "searchKey": "Resources.ECSService.Properties.NetworkConfiguration.AwsvpcConfiguration.AssignPublicIp", + "searchValue": "", + "expectedValue": "'AssignPublicIp' field should be defined to 'DISABLED' (defaults to 'DISABLED')", + "actualValue": "'AssignPublicIp' field is defined to 'ENABLED'", + "issueType": "IncorrectValue" }, { + "queryName": "ECS Services assigned with public IP address", "severity": "MEDIUM", "line": 66, - "queryName": "ECS Services assigned with public IP address", - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "cfn-service", + "searchKey": "Resources.ECSService.Properties.NetworkConfiguration.AwsvpcConfiguration.AssignPublicIp", + "searchValue": "", + "expectedValue": "'AssignPublicIp' field should be defined to 'DISABLED' (defaults to 'DISABLED')", + "actualValue": "'AssignPublicIp' field is defined to 'ENABLED'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/test/positive_expected_result.json index 803ab1f8440..f4e1e326ef4 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { - "fileName": "positive1.yaml", "queryName": "ECS Task Definition HealthCheck Missing", "severity": "LOW", - "line": 48 + "line": 48, + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.ContainerDefinitions.1.Name.Ref=AppName", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition.Properties.ContainerDefinitions' should contain 'HealthCheck' property", + "actualValue": "'Resources.taskdefinition.Properties.ContainerDefinitions' doesn't contain 'HealthCheck' property", + "issueType": "MissingAttribute" }, { - "line": 55, - "fileName": "positive2.json", "queryName": "ECS Task Definition HealthCheck Missing", - "severity": "LOW" + "severity": "LOW", + "line": 55, + "filename": "positive2.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.ContainerDefinitions.0.Name.Ref=AppName", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition.Properties.ContainerDefinitions' should contain 'HealthCheck' property", + "actualValue": "'Resources.taskdefinition.Properties.ContainerDefinitions' doesn't contain 'HealthCheck' property", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/test/positive_expected_result.json index 1b13003f4ec..5bb2cfc0e89 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ { - "fileName": "positive1.yaml", "queryName": "ECS Task Definition Invalid CPU or Memory", "severity": "LOW", - "line": 42 + "line": 42, + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService", + "searchKey": "Resources.taskdefinition.Properties.ContainerDefinitions.Name.Ref=AppName", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition.Properties.ContainerDefinitions.Memory' shouldn't have incorrect values", + "actualValue": "'Resources.taskdefinition.Properties.ContainerDefinitions.Memory' has incorrect value", + "issueType": "IncorrectValue" }, { "queryName": "ECS Task Definition Invalid CPU or Memory", "severity": "LOW", "line": 58, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService", + "searchKey": "Resources.taskdefinition2.Properties.ContainerDefinitions.Name.Ref=AppName2", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition2.Properties.ContainerDefinitions.Cpu' shouldn't have incorrect values", + "actualValue": "'Resources.taskdefinition2.Properties.ContainerDefinitions.Cpu' has incorrect value", + "issueType": "IncorrectValue" }, { "queryName": "ECS Task Definition Invalid CPU or Memory", "severity": "LOW", "line": 63, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService", + "searchKey": "Resources.taskdefinition.Properties.ContainerDefinitions.Name.Ref=AppName", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition.Properties.ContainerDefinitions.Memory' shouldn't have incorrect values", + "actualValue": "'Resources.taskdefinition.Properties.ContainerDefinitions.Memory' has incorrect value", + "issueType": "IncorrectValue" }, { "queryName": "ECS Task Definition Invalid CPU or Memory", "severity": "LOW", "line": 93, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService", + "searchKey": "Resources.taskdefinition2.Properties.ContainerDefinitions.Name.Ref=AppName2", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition2.Properties.ContainerDefinitions.Cpu' shouldn't have incorrect values", + "actualValue": "'Resources.taskdefinition2.Properties.ContainerDefinitions.Cpu' has incorrect value", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json index 3ee7e3ba995..84d348c3a60 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { - "fileName": "positive1.yaml", "queryName": "ECS Task Definition Network Mode Not Recommended", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.NetworkMode", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition.Properties.NetworkMode' should be 'awsvpc'", + "actualValue": "'Resources.taskdefinition.Properties.NetworkMode' is 'none'", + "issueType": "IncorrectValue" }, { - "line": 7, - "fileName": "positive2.json", "queryName": "ECS Task Definition Network Mode Not Recommended", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 7, + "filename": "positive2.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition.Properties.NetworkMode' should be set and should be 'awsvpc'", + "actualValue": "'Resources.taskdefinition.Properties.NetworkMode' is undefined and defaults to 'bridge'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/efs_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/efs_not_encrypted/test/positive_expected_result.json index fc9de30c639..f647e2d28e7 100644 --- a/assets/queries/cloudFormation/aws/efs_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/efs_not_encrypted/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "EFS Not Encrypted", "severity": "HIGH", "line": 49, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "test-VPC-EFS", + "searchKey": "Resources.EFSFileSystem01.Properties.Encrypted", + "searchValue": "", + "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled", + "actualValue": "EFS resource 'EFSFileSystem01' has encryption set to false", + "issueType": "IncorrectValue" }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", "line": 90, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "test-VPC-EFS", + "searchKey": "Resources.EFSFileSystem01.Properties.Encrypted", + "searchValue": "", + "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled", + "actualValue": "EFS resource 'EFSFileSystem01' has encryption set to false", + "issueType": "IncorrectValue" }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", "line": 49, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "test-VPC-EFS", + "searchKey": "Resources.EFSFileSystem01.Properties.Encrypted", + "searchValue": "", + "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled", + "actualValue": "EFS resource 'EFSFileSystem01' has encryption set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json index 454f88a6484..ab230f55393 100644 --- a/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json @@ -3,180 +3,390 @@ "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 35, - "fileName": "positive1.json" + "filename": "positive1.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 26, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 31, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 22, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 30, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 21, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 7, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 4, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 45, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 35, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 41, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 32, - "fileName": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 41, - "fileName": "positive7.json" + "filename": "positive7.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 32, - "fileName": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 7, - "fileName": "positive8.json" + "filename": "positive8.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 4, - "fileName": "positive8.yaml" + "filename": "positive8.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 30, - "fileName": "positive9.json" + "filename": "positive9.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 39, - "fileName": "positive9.json" + "filename": "positive9.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 22, - "fileName": "positive9.yaml" + "filename": "positive9.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 29, - "fileName": "positive9.yaml" + "filename": "positive9.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 27, - "fileName": "positive10.json" + "filename": "positive10.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 35, - "fileName": "positive10.json" + "filename": "positive10.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 19, - "fileName": "positive10.yaml" + "filename": "positive10.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 25, - "fileName": "positive10.yaml" + "filename": "positive10.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 26, - "fileName": "positive11.json" + "filename": "positive11.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 32, - "fileName": "positive11.json" + "filename": "positive11.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 18, - "fileName": "positive11.yaml" + "filename": "positive11.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 22, - "fileName": "positive11.yaml" + "filename": "positive11.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 39, - "fileName": "positive12.json" + "filename": "positive12.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 29, - "fileName": "positive12.yaml" + "filename": "positive12.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/efs_without_kms/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/efs_without_kms/test/positive_expected_result.json index b3569a8fb15..ad598bf505b 100644 --- a/assets/queries/cloudFormation/aws/efs_without_kms/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/efs_without_kms/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "EFS Without KMS", "severity": "LOW", "line": 82, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "test-VPC-EFS", + "searchKey": "Resources.EFSFileSystem01", + "searchValue": "", + "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys", + "actualValue": "EFS resource 'EFSFileSystem01' is not encrypted using KMS CMK customer-managed keys instead of AWS managed-keys", + "issueType": "MissingAttribute" }, { "queryName": "EFS Without KMS", "severity": "LOW", "line": 157, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "test-VPC-EFS", + "searchKey": "Resources.EFSFileSystem01", + "searchValue": "", + "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys", + "actualValue": "EFS resource 'EFSFileSystem01' is not encrypted using KMS CMK customer-managed keys instead of AWS managed-keys", + "issueType": "MissingAttribute" }, { "queryName": "EFS Without KMS", "severity": "LOW", "line": 82, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "test-VPC-EFS", + "searchKey": "Resources.EFSFileSystem01", + "searchValue": "", + "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys", + "actualValue": "EFS resource 'EFSFileSystem01' is not encrypted using KMS CMK customer-managed keys instead of AWS managed-keys", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/efs_without_tags/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/efs_without_tags/test/positive_expected_result.json index f69d1cd120b..d40cf029969 100644 --- a/assets/queries/cloudFormation/aws/efs_without_tags/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/efs_without_tags/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "EFS Without Tags", "severity": "LOW", "line": 15, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "FileSystem", + "searchKey": "Resources.FileSystem", + "searchValue": "", + "expectedValue": "'Resources.FileSystem.Properties.FileSystemTags' should be defined and not null", + "actualValue": "'Resources.FileSystem.Properties.FileSystemTags' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EFS Without Tags", "severity": "LOW", "line": 40, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "FileSystem", + "searchKey": "Resources.FileSystem", + "searchValue": "", + "expectedValue": "'Resources.FileSystem.Properties.FileSystemTags' should be defined and not null", + "actualValue": "'Resources.FileSystem.Properties.FileSystemTags' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json index e1ca5a31001..6032b86cab7 100644 --- a/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ { + "queryName": "EKS Cluster Encryption Disabled", "severity": "HIGH", "line": 5, - "queryName": "EKS Cluster Encryption Disabled", - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EKS::Cluster", + "resourceName": "MyEKSClusterA", + "searchKey": "Resources.MyEKSClusterA.Properties", + "searchValue": "", + "expectedValue": "'EncryptionConfig' should be defined and not null", + "actualValue": "'EncryptionConfig' is undefined or null", + "issueType": "MissingAttribute" }, { + "queryName": "EKS Cluster Encryption Disabled", "severity": "HIGH", "line": 6, - "queryName": "EKS Cluster Encryption Disabled", - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EKS::Cluster", + "resourceName": "MyEKSClusterA", + "searchKey": "Resources.MyEKSClusterA.Properties", + "searchValue": "", + "expectedValue": "'EncryptionConfig' should be defined and not null", + "actualValue": "'EncryptionConfig' is undefined or null", + "issueType": "MissingAttribute" }, { + "queryName": "EKS Cluster Encryption Disabled", "severity": "HIGH", "line": 16, - "queryName": "EKS Cluster Encryption Disabled", - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::EKS::Cluster", + "resourceName": "MyEKSClusterB", + "searchKey": "Resources.MyEKSClusterB.Properties.EncryptionConfig", + "searchValue": "", + "expectedValue": "'secrets' should be defined inside the Resources field", + "actualValue": "'secrets' is undefined on the Resources field", + "issueType": "IncorrectValue" }, { + "queryName": "EKS Cluster Encryption Disabled", "severity": "HIGH", "line": 19, - "queryName": "EKS Cluster Encryption Disabled", - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EKS::Cluster", + "resourceName": "MyEKSClusterB", + "searchKey": "Resources.MyEKSClusterB.Properties.EncryptionConfig", + "searchValue": "", + "expectedValue": "'secrets' should be defined inside the Resources field", + "actualValue": "'secrets' is undefined on the Resources field", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/eks_node_group_remote_access/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/eks_node_group_remote_access/test/positive_expected_result.json index facfe6cd979..e65eb241208 100644 --- a/assets/queries/cloudFormation/aws/eks_node_group_remote_access/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/eks_node_group_remote_access/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "EKS node group remote access", "severity": "MEDIUM", "line": 17, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EKS::Nodegroup", + "resourceName": "EKSNodegroup", + "searchKey": "Resources.EKSNodegroup.Properties.RemoteAccess", + "searchValue": "", + "expectedValue": "'Resources.EKSNodegroup.Properties.RemoteAccess.SourceSecurityGroups' should be defined and not null", + "actualValue": "'Resources.EKSNodegroup.Properties.RemoteAccess.Source SecurityGroups' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EKS node group remote access", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EKS::Nodegroup", + "resourceName": "EKSNodegroup", + "searchKey": "Resources.EKSNodegroup.Properties.RemoteAccess", + "searchValue": "", + "expectedValue": "'Resources.EKSNodegroup.Properties.RemoteAccess.SourceSecurityGroups' should be defined and not null", + "actualValue": "'Resources.EKSNodegroup.Properties.RemoteAccess.Source SecurityGroups' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json index e8a84d33553..bb11ba49fba 100644 --- a/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ { - "line": 6, - "fileName": "positive1.yaml", "queryName": "ElastiCache Nodes Not Created Across Multi AZ", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 6, + "filename": "positive1.yaml", + "resourceType": "AWS::ElastiCache::CacheCluster", + "resourceName": "myCacheCluster3", + "searchKey": "Resources.myCacheCluster3.Properties.AZMode", + "searchValue": "", + "expectedValue": "Resources.myCacheCluster3.Properties.AZMode is 'cross-az'", + "actualValue": "Resources.myCacheCluster3.Properties.AZMode is 'single-az", + "issueType": "IncorrectValue" }, { - "fileName": "positive3.json", "queryName": "ElastiCache Nodes Not Created Across Multi AZ", "severity": "MEDIUM", - "line": 6 + "line": 5, + "filename": "positive2.yaml", + "resourceType": "AWS::ElastiCache::CacheCluster", + "resourceName": "myCacheCluster4", + "searchKey": "Resources.myCacheCluster4.Properties", + "searchValue": "", + "expectedValue": "Resources.myCacheCluster4.Properties.AZMode should be defined and is 'cross-az'", + "actualValue": "Resources.myCacheCluster4.Properties.AZMode is not defined, default value is 'single-az'", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache Nodes Not Created Across Multi AZ", "severity": "MEDIUM", - "line": 5, - "fileName": "positive2.yaml" + "line": 6, + "filename": "positive3.json", + "resourceType": "AWS::ElastiCache::CacheCluster", + "resourceName": "myCacheCluster5", + "searchKey": "Resources.myCacheCluster5.Properties.AZMode", + "searchValue": "", + "expectedValue": "Resources.myCacheCluster5.Properties.AZMode is 'cross-az'", + "actualValue": "Resources.myCacheCluster5.Properties.AZMode is 'single-az", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache Nodes Not Created Across Multi AZ", "severity": "MEDIUM", "line": 5, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::ElastiCache::CacheCluster", + "resourceName": "myCacheCluster6", + "searchKey": "Resources.myCacheCluster6.Properties", + "searchValue": "", + "expectedValue": "Resources.myCacheCluster6.Properties.AZMode should be defined and is 'cross-az'", + "actualValue": "Resources.myCacheCluster6.Properties.AZMode is not defined, default value is 'single-az'", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/elasticache_using_default_port/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_using_default_port/test/positive_expected_result.json index 20174b78ed6..3d6fb1a6c3b 100644 --- a/assets/queries/cloudFormation/aws/elasticache_using_default_port/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_using_default_port/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 12, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "BasicReplicationGroup", + "searchKey": "Resources.BasicReplicationGroup.Properties.Port", + "searchValue": "", + "expectedValue": "Resources.BasicReplicationGroup.Properties.Port should not be set to 6379", + "actualValue": "Resources.BasicReplicationGroup.Properties.Port is set to 6379", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 12, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "BasicReplicationGroup", + "searchKey": "Resources.BasicReplicationGroup.Properties.Port", + "searchValue": "", + "expectedValue": "Resources.BasicReplicationGroup.Properties.Port should not be set to 11211", + "actualValue": "Resources.BasicReplicationGroup.Properties.Port is set to 11211", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 15, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "BasicReplicationGroup", + "searchKey": "Resources.BasicReplicationGroup.Properties.Port", + "searchValue": "", + "expectedValue": "Resources.BasicReplicationGroup.Properties.Port should not be set to 6379", + "actualValue": "Resources.BasicReplicationGroup.Properties.Port is set to 6379", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 15, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "BasicReplicationGroup", + "searchKey": "Resources.BasicReplicationGroup.Properties.Port", + "searchValue": "", + "expectedValue": "Resources.BasicReplicationGroup.Properties.Port should not be set to 11211", + "actualValue": "Resources.BasicReplicationGroup.Properties.Port is set to 11211", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/test/positive_expected_result.json index 36188c1bb62..10c3a067ad1 100644 --- a/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "ElastiCache With Disabled at Rest Encryption", "severity": "HIGH", "line": 10, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "ReplicationGroup", + "searchKey": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled", + "searchValue": "", + "expectedValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled should be true", + "actualValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled is false", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache With Disabled at Rest Encryption", "severity": "HIGH", "line": 8, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "MyReplicationGroup", + "searchKey": "Resources.MyReplicationGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.MyReplicationGroup.Properties.AtRestEncryptionEnabled should be defined", + "actualValue": "Resources.MyReplicationGroup.Properties.AtRestEncryptionEnabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache With Disabled at Rest Encryption", "severity": "HIGH", "line": 19, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "ReplicationGroup", + "searchKey": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled", + "searchValue": "", + "expectedValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled should be true", + "actualValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled is false", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache With Disabled at Rest Encryption", "severity": "HIGH", "line": 7, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "MyReplicationGroup", + "searchKey": "Resources.MyReplicationGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.MyReplicationGroup.Properties.AtRestEncryptionEnabled should be defined", + "actualValue": "Resources.MyReplicationGroup.Properties.AtRestEncryptionEnabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache With Disabled at Rest Encryption", "severity": "HIGH", "line": 10, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "ReplicationGroup", + "searchKey": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled", + "searchValue": "", + "expectedValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled should be true", + "actualValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/test/positive_expected_result.json index 303cc495823..1c2e7761625 100644 --- a/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "ElastiCache With Disabled Transit Encryption", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "ReplicationGroup", + "searchKey": "Resources.ReplicationGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled should be defined", + "actualValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache With Disabled Transit Encryption", "severity": "MEDIUM", "line": 26, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "MyReplicationGroup", + "searchKey": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled", + "searchValue": "", + "expectedValue": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled should be true", + "actualValue": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled is false", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache With Disabled Transit Encryption", "severity": "MEDIUM", "line": 4, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "ReplicationGroup", + "searchKey": "Resources.ReplicationGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled should be defined", + "actualValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache With Disabled Transit Encryption", "severity": "MEDIUM", "line": 18, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "MyReplicationGroup", + "searchKey": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled", + "searchValue": "", + "expectedValue": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled should be true", + "actualValue": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled is false", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache With Disabled Transit Encryption", "severity": "MEDIUM", "line": 6, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "ReplicationGroup", + "searchKey": "Resources.ReplicationGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled should be defined", + "actualValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticache_without_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_without_vpc/test/positive_expected_result.json index 7031db962ef..cb8612e2a13 100644 --- a/assets/queries/cloudFormation/aws/elasticache_without_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_without_vpc/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "ElastiCache Without VPC", "severity": "LOW", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ElastiCache::CacheCluster", + "resourceName": "ElasticacheCluster", + "searchKey": "Resources.ElasticacheCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticacheCluster.Properties.CacheSubnetGroupName should be defined and not null", + "actualValue": "Resources.ElasticacheCluster.Properties.CacheSubnetGroupName is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache Without VPC", "severity": "LOW", "line": 5, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ElastiCache::CacheCluster", + "resourceName": "ElasticacheCluster", + "searchKey": "Resources.ElasticacheCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticacheCluster.Properties.CacheSubnetGroupName should be defined and not null", + "actualValue": "Resources.ElasticacheCluster.Properties.CacheSubnetGroupName is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/test/positive_expected_result.json index c1b2e200ba8..6abd495cc7f 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "ElasticSearch Encryption With KMS Disabled", "severity": "HIGH", "line": 15, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.KmsKeyId should be set", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.KmsKeyId is undefined", + "issueType": "MissingAttribute" }, { - "line": 7, - "fileName": "positive2.json", "queryName": "ElasticSearch Encryption With KMS Disabled", - "severity": "HIGH" + "severity": "HIGH", + "line": 7, + "filename": "positive2.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.KmsKeyId should be set", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.KmsKeyId is undefined", + "issueType": "MissingAttribute" }, { - "line": 6, - "fileName": "positive3.yaml", "queryName": "ElasticSearch Encryption With KMS Disabled", - "severity": "HIGH" + "severity": "HIGH", + "line": 6, + "filename": "positive3.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is undefined or null", + "issueType": "MissingAttribute" }, { - "line": 6, - "fileName": "positive4.json", "queryName": "ElasticSearch Encryption With KMS Disabled", - "severity": "HIGH" + "severity": "HIGH", + "line": 6, + "filename": "positive4.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json index d07d400b7a1..5bd73e8e988 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json @@ -3,72 +3,156 @@ "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "MyOpenSearchDomain", + "searchKey": "Resources.MyOpenSearchDomain.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 7, - "fileName": "positive2.json" + "line": 10, + "filename": "positive10.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "MyOpenSearchDomain", + "searchKey": "Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions", + "searchValue": "", + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 34, - "fileName": "positive3.yaml" + "line": 7, + "filename": "positive11.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-es-domain", + "searchKey": "Resources.MyElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 44, - "fileName": "positive4.json" + "line": 10, + "filename": "positive12.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-es-domain", + "searchKey": "Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions", + "searchValue": "", + "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 7, - "fileName": "positive5.yaml" + "filename": "positive2.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "MyOpenSearchDomain", + "searchKey": "Resources.MyOpenSearchDomain.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 7, - "fileName": "positive6.json" + "line": 34, + "filename": "positive3.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "MyOpenSearchDomain", + "searchKey": "Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", + "searchValue": "", + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true", + "issueType": "IncorrectValue" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 32, - "fileName": "positive7.yaml" + "line": 44, + "filename": "positive4.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "MyOpenSearchDomain", + "searchKey": "Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", + "searchValue": "", + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true", + "issueType": "IncorrectValue" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 42, - "fileName": "positive8.json" + "line": 7, + "filename": "positive5.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-es-domain", + "searchKey": "Resources.MyElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 7, - "fileName": "positive9.yaml" + "filename": "positive6.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-es-domain", + "searchKey": "Resources.MyElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 10, - "fileName": "positive10.json" + "line": 32, + "filename": "positive7.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-es-domain", + "searchKey": "Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", + "searchValue": "", + "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true", + "issueType": "IncorrectValue" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 7, - "fileName": "positive11.yaml" + "line": 42, + "filename": "positive8.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-es-domain", + "searchKey": "Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", + "searchValue": "", + "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true", + "issueType": "IncorrectValue" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", - "line": 10, - "fileName": "positive12.json" + "line": 7, + "filename": "positive9.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "MyOpenSearchDomain", + "searchKey": "Resources.MyOpenSearchDomain.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json index 572646d6388..959b1352a32 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", "line": 16, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions should be enabled", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is disabled", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", "line": 6, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain1.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain1.Properties.EncryptionAtRestOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain1.Properties.EncryptionAtRestOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", "line": 8, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions should be enabled", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is disabled", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", "line": 5, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain1.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain1.Properties.EncryptionAtRestOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain1.Properties.EncryptionAtRestOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", "line": 16, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions should be enabled", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is disabled", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json index 2e61a6091c4..f1047a9064a 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 15, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "OpenSearchDomain", + "searchKey": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS", + "searchValue": "", + "expectedValue": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS should be set to 'true'", + "actualValue": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 24, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-elasticsearch-domain", + "searchKey": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is not set", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-elasticsearch-domain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is not set", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 15, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "OpenSearchDomain", + "searchKey": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS", + "searchValue": "", + "expectedValue": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS should be set to 'true'", + "actualValue": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/test/positive_expected_result.json index 5047b434ad6..26245123b25 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/test/positive_expected_result.json @@ -3,120 +3,260 @@ "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 13, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 9, - "fileName": "positive2.yaml" + "line": 10, + "filename": "positive10.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 6, - "fileName": "positive3.yaml" + "line": 14, + "filename": "positive11.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 13, - "fileName": "positive4.yaml" + "line": 11, + "filename": "positive12.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 10, - "fileName": "positive5.yaml" + "line": 7, + "filename": "positive13.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 13, - "fileName": "positive6.yaml" + "line": 14, + "filename": "positive14.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 9, - "fileName": "positive7.yaml" + "line": 12, + "filename": "positive15.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 6, - "fileName": "positive8.yaml" + "line": 14, + "filename": "positive16.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 13, - "fileName": "positive9.yaml" + "line": 11, + "filename": "positive17.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 10, - "fileName": "positive10.yaml" + "line": 7, + "filename": "positive18.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 14, - "fileName": "positive11.json" + "filename": "positive19.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 11, - "fileName": "positive12.json" + "line": 9, + "filename": "positive2.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 7, - "fileName": "positive13.json" + "line": 12, + "filename": "positive20.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 14, - "fileName": "positive14.json" + "line": 6, + "filename": "positive3.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 12, - "fileName": "positive15.json" + "line": 13, + "filename": "positive4.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 14, - "fileName": "positive16.json" + "line": 10, + "filename": "positive5.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 11, - "fileName": "positive17.json" + "line": 13, + "filename": "positive6.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 7, - "fileName": "positive18.json" + "line": 9, + "filename": "positive7.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 14, - "fileName": "positive19.json" + "line": 6, + "filename": "positive8.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", - "line": 12, - "fileName": "positive20.json" + "line": 13, + "filename": "positive9.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/test/positive_expected_result.json index 60b2f117754..badf6cc51c6 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/test/positive_expected_result.json @@ -3,120 +3,260 @@ "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 13, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 9, - "fileName": "positive2.yaml" + "line": 10, + "filename": "positive10.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 6, - "fileName": "positive3.yaml" + "line": 14, + "filename": "positive11.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 13, - "fileName": "positive4.yaml" + "line": 11, + "filename": "positive12.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare es application logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 10, - "fileName": "positive5.yaml" + "line": 7, + "filename": "positive13.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 13, - "fileName": "positive6.yaml" + "line": 14, + "filename": "positive14.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 9, - "fileName": "positive7.yaml" + "line": 12, + "filename": "positive15.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 6, - "fileName": "positive8.yaml" + "line": 14, + "filename": "positive16.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 13, - "fileName": "positive9.yaml" + "line": 11, + "filename": "positive17.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare es application logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 10, - "fileName": "positive10.yaml" + "line": 7, + "filename": "positive18.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 14, - "fileName": "positive11.json" + "filename": "positive19.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 11, - "fileName": "positive12.json" + "line": 9, + "filename": "positive2.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare es application logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 7, - "fileName": "positive13.json" + "line": 12, + "filename": "positive20.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 14, - "fileName": "positive14.json" + "line": 6, + "filename": "positive3.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 12, - "fileName": "positive15.json" + "line": 13, + "filename": "positive4.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 14, - "fileName": "positive16.json" + "line": 10, + "filename": "positive5.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 11, - "fileName": "positive17.json" + "line": 13, + "filename": "positive6.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 7, - "fileName": "positive18.json" + "line": 9, + "filename": "positive7.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare es application logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 14, - "fileName": "positive19.json" + "line": 6, + "filename": "positive8.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", - "line": 12, - "fileName": "positive20.json" + "line": 13, + "filename": "positive9.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json index 5986337a1f0..6a838bcec76 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Elasticsearch Without IAM Authentication", "severity": "MEDIUM", "line": 24, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties.AccessPolicies.Statement", + "searchValue": "", + "expectedValue": "Elasticsearch Domain should ensure IAM Authentication", + "actualValue": "Elasticsearch Domain does not ensure IAM Authentication", + "issueType": "IncorrectValue" }, { "queryName": "Elasticsearch Without IAM Authentication", "severity": "MEDIUM", "line": 26, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties.AccessPolicies.Statement", + "searchValue": "", + "expectedValue": "Elasticsearch Domain should ensure IAM Authentication", + "actualValue": "Elasticsearch Domain does not ensure IAM Authentication", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json index 9872b4ed14c..cd8f878e9f2 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json @@ -3,192 +3,416 @@ "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 13, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 17, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 9, - "fileName": "positive2.yaml" + "line": 10, + "filename": "positive10.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 6, - "fileName": "positive3.yaml" + "line": 13, + "filename": "positive10.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 13, - "fileName": "positive4.yaml" + "line": 14, + "filename": "positive11.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 17, - "fileName": "positive4.yaml" + "line": 18, + "filename": "positive11.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 10, - "fileName": "positive5.yaml" + "line": 11, + "filename": "positive12.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare slow logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare slow logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 13, - "fileName": "positive5.yaml" + "line": 7, + "filename": "positive13.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 13, - "fileName": "positive6.yaml" + "line": 14, + "filename": "positive14.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 17, - "fileName": "positive6.yaml" + "line": 18, + "filename": "positive14.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 9, - "fileName": "positive7.yaml" + "line": 12, + "filename": "positive15.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 6, - "fileName": "positive8.yaml" + "line": 15, + "filename": "positive15.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 13, - "fileName": "positive9.yaml" + "line": 14, + "filename": "positive16.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 17, - "fileName": "positive9.yaml" + "line": 18, + "filename": "positive16.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 10, - "fileName": "positive10.yaml" + "line": 11, + "filename": "positive17.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare slow logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare slow logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 13, - "fileName": "positive10.yaml" + "line": 7, + "filename": "positive18.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 14, - "fileName": "positive11.json" + "filename": "positive19.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 18, - "fileName": "positive11.json" + "filename": "positive19.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 11, - "fileName": "positive12.json" + "line": 9, + "filename": "positive2.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare slow logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare slow logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 7, - "fileName": "positive13.json" + "line": 12, + "filename": "positive20.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 14, - "fileName": "positive14.json" + "line": 15, + "filename": "positive20.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 18, - "fileName": "positive14.json" + "line": 6, + "filename": "positive3.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 12, - "fileName": "positive15.json" + "line": 13, + "filename": "positive4.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 15, - "fileName": "positive15.json" + "line": 17, + "filename": "positive4.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 14, - "fileName": "positive16.json" + "line": 10, + "filename": "positive5.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 18, - "fileName": "positive16.json" + "line": 13, + "filename": "positive5.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 11, - "fileName": "positive17.json" + "line": 13, + "filename": "positive6.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 7, - "fileName": "positive18.json" + "line": 17, + "filename": "positive6.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 14, - "fileName": "positive19.json" + "line": 9, + "filename": "positive7.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare slow logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare slow logs", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 18, - "fileName": "positive19.json" + "line": 6, + "filename": "positive8.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 12, - "fileName": "positive20.json" + "line": 13, + "filename": "positive9.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", - "line": 15, - "fileName": "positive20.json" + "line": 17, + "filename": "positive9.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elb_access_log_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_access_log_disabled/test/positive_expected_result.json index d4dfeba79a3..09eb2d382ec 100644 --- a/assets/queries/cloudFormation/aws/elb_access_log_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_access_log_disabled/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.AccessLoggingPolicy' should exist", + "actualValue": "'Resources.MyLoadBalancer.Properties.AccessLoggingPolicy' is missing", + "issueType": "MissingAttribute" }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", "line": 31, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer2", + "searchKey": "Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is true", + "actualValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.AccessLoggingPolicy' should exist", + "actualValue": "'Resources.MyLoadBalancer.Properties.AccessLoggingPolicy' is missing", + "issueType": "MissingAttribute" }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer2", + "searchKey": "Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is true", + "actualValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", "line": 31, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer2", + "searchKey": "Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is true", + "actualValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index 419d903f827..4b4e3a84075 100644 --- a/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -3,1236 +3,2678 @@ "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,389", + "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,389", + "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,161", + "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,161", + "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 32, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 42, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 50, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 61, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 71, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 81, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 85, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 17, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 26, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 35, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress3.Properties", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 44, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress4.Properties", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 54, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 63, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 72, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 81, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress4.Properties", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 26, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[1]", + "searchValue": "TCP,636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 30, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 30, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 30, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 17, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 27, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 32, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[3]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 40, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[4]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 45, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[5]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 50, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[6]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 55, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[7]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,161", + "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,389", + "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,389", + "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,161", + "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 43, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 57, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 69, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 83, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 97, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 111, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 117, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 20, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 30, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 40, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress3.Properties", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 50, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress4.Properties", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 60, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 70, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 80, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 90, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress4.Properties", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 39, - "fileName": "positive7.json" + "filename": "positive7.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[1]", + "searchValue": "TCP,636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 45, - "fileName": "positive7.json" + "filename": "positive7.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 45, - "fileName": "positive7.json" + "filename": "positive7.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 45, - "fileName": "positive7.json" + "filename": "positive7.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive8.json" + "filename": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 28, - "fileName": "positive8.json" + "filename": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 34, - "fileName": "positive8.json" + "filename": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 40, - "fileName": "positive8.json" + "filename": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[3]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 46, - "fileName": "positive8.json" + "filename": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[4]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 52, - "fileName": "positive8.json" + "filename": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[5]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 58, - "fileName": "positive8.json" + "filename": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[6]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 64, - "fileName": "positive8.json" + "filename": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[7]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/test/positive_expected_result.json index d13bf54bd5e..67790ece55f 100644 --- a/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", "line": 27, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=Protocol-SSLv2", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.Protocol-SSLv2' should not be an insecure protocol", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.Protocol-SSLv2' is an insecure protocol", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", "line": 34, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy2.Attributes.Name=Protocol-TLSv1", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.Protocol-TLSv1' should not be an insecure protocol", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.Protocol-TLSv1' is an insecure protocol", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", "line": 35, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=Protocol-SSLv2", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.Protocol-SSLv2' should not be an insecure protocol", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.Protocol-SSLv2' is an insecure protocol", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", "line": 50, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy2.Attributes.Name=Protocol-TLSv1", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.Protocol-TLSv1' should not be an insecure protocol", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.Protocol-TLSv1' is an insecure protocol", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/test/positive_expected_result.json index 0a839c95974..9d29e20c09f 100644 --- a/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", "line": 27, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=TLS_RSA_NULL_SHA1", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' should not be a weak cipher", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' is a weak cipher", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", "line": 29, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=DHE-DSS-DES-CBC3-SHA", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' should not be a weak cipher", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' is a weak cipher", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", "line": 34, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy2.Attributes.Name=TLS_DHE_PSK_WITH_NULL_SHA256", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.TLS_DHE_PSK_WITH_NULL_SHA256' should not be a weak cipher", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.TLS_DHE_PSK_WITH_NULL_SHA256' is a weak cipher", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", "line": 35, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=TLS_RSA_NULL_SHA1", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' should not be a weak cipher", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' is a weak cipher", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", "line": 40, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=DHE-DSS-DES-CBC3-SHA", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' should not be a weak cipher", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' is a weak cipher", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", "line": 49, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy2.Attributes.Name=TLS_DHE_PSK_WITH_NULL_SHA256", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.TLS_DHE_PSK_WITH_NULL_SHA256' should not be a weak cipher", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.TLS_DHE_PSK_WITH_NULL_SHA256' is a weak cipher", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/test/positive_expected_result.json index 37ff9f3c3f4..059056584de 100644 --- a/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "ELBv2 ALB Access Log Disabled", "severity": "MEDIUM", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "EnvironmentName", + "searchKey": "Resources.LoadBalancer.Properties", + "searchValue": "", + "expectedValue": "'Resources.LoadBalancer.Properties' has LoadBalancerAttributes defined", + "actualValue": "'Resources.LoadBalancer.Properties' doesn't have LoadBalancerAttributes defined", + "issueType": "MissingAttribute" }, { "queryName": "ELBv2 ALB Access Log Disabled", "severity": "MEDIUM", "line": 30, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "EnvironmentName", + "searchKey": "Resources.LoadBalancertest.Properties.LoadBalancerAttributes", + "searchValue": "", + "expectedValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' has access_logs.s3.enabled with Value true", + "actualValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' doesn't have access_logs.s3.enabled with Value true", + "issueType": "IncorrectValue" }, { "queryName": "ELBv2 ALB Access Log Disabled", "severity": "MEDIUM", "line": 23, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "EnvironmentName", + "searchKey": "Resources.LoadBalancer.Properties", + "searchValue": "", + "expectedValue": "'Resources.LoadBalancer.Properties' has LoadBalancerAttributes defined", + "actualValue": "'Resources.LoadBalancer.Properties' doesn't have LoadBalancerAttributes defined", + "issueType": "MissingAttribute" }, { "queryName": "ELBv2 ALB Access Log Disabled", "severity": "MEDIUM", "line": 36, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "EnvironmentName", + "searchKey": "Resources.LoadBalancertest.Properties.LoadBalancerAttributes", + "searchValue": "", + "expectedValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' has access_logs.s3.enabled with Value true", + "actualValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' doesn't have access_logs.s3.enabled with Value true", + "issueType": "IncorrectValue" }, { "queryName": "ELBv2 ALB Access Log Disabled", "severity": "MEDIUM", "line": 30, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "EnvironmentName", + "searchKey": "Resources.LoadBalancertest.Properties.LoadBalancerAttributes", + "searchValue": "", + "expectedValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' has access_logs.s3.enabled with Value true", + "actualValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' doesn't have access_logs.s3.enabled with Value true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/test/positive_expected_result.json index 8f2c9fd3032..ea8c51d3e67 100644 --- a/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "ELB With Security Group Without Inbound Rules", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithoutingress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithoutingress.Properties.SecurityGroupIngress' should be defined", + "actualValue": "'Resources.sgwithoutingress.Properties.SecurityGroupIngress' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Inbound Rules", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithoutingress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithoutingress.Properties.SecurityGroupIngress' should be defined", + "actualValue": "'Resources.sgwithoutingress.Properties.SecurityGroupIngress' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Inbound Rules", "severity": "MEDIUM", "line": 5, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithingress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithingress.Properties.SecurityGroupIngress' should be defined", + "actualValue": "'Resources.sgwithingress.Properties.SecurityGroupIngress' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Inbound Rules", "severity": "MEDIUM", "line": 6, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithingress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithingress.Properties.SecurityGroupIngress' should be defined", + "actualValue": "'Resources.sgwithingress.Properties.SecurityGroupIngress' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json index bcde6e7171f..2430bf779c7 100644 --- a/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json @@ -3,72 +3,156 @@ "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithoutegress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithoutegress.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.sgwithoutegress.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithoutegress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithoutegress.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.sgwithoutegress.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 5, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithegress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithegress.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.sgwithegress.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 6, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithegress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithegress.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.sgwithegress.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 5, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyClassicLB", + "searchKey": "Resources.MySG.Properties", + "searchValue": "", + "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 6, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyClassicLB", + "searchKey": "Resources.MySG.Properties", + "searchValue": "", + "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 8, - "fileName": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyClassicLB", + "searchKey": "Resources.MySG.Properties.SecurityGroupEgress", + "searchValue": "", + "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should not be empty", + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is empty", + "issueType": "IncorrectValue" }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 9, - "fileName": "positive8.json" + "filename": "positive8.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyClassicLB", + "searchKey": "Resources.MySG.Properties.SecurityGroupEgress", + "searchValue": "", + "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should not be empty", + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is empty", + "issueType": "IncorrectValue" }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 8, - "fileName": "positive9.yaml" + "filename": "positive9.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "MyALB", + "searchKey": "Resources.MySGv2.Properties.SecurityGroupEgress", + "searchValue": "", + "expectedValue": "'Resources.MySGv2.Properties.SecurityGroupEgress' should not be empty", + "actualValue": "'Resources.MySGv2.Properties.SecurityGroupEgress' is empty", + "issueType": "IncorrectValue" }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 9, - "fileName": "positive10.json" + "filename": "positive10.json", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "MyALB", + "searchKey": "Resources.MySGv2.Properties.SecurityGroupEgress", + "searchValue": "", + "expectedValue": "'Resources.MySGv2.Properties.SecurityGroupEgress' should not be empty", + "actualValue": "'Resources.MySGv2.Properties.SecurityGroupEgress' is empty", + "issueType": "IncorrectValue" }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 5, - "fileName": "positive11.yaml" + "filename": "positive11.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyClassicLB", + "searchKey": "Resources.MySG.Properties", + "searchValue": "", + "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 6, - "fileName": "positive12.json" + "filename": "positive12.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyClassicLB", + "searchKey": "Resources.MySG.Properties", + "searchValue": "", + "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json index f4a043eaacb..45bbe75ee7e 100644 --- a/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "ELB Without Secure Protocol", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Listeners", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Listeners.InstanceProtocol' should be set to 'SSL' or 'HTTPS'", + "actualValue": "'Resources.MyLoadBalancer.Listeners.InstanceProtocol' isn't set to 'SSL' or 'HTTPS'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Without Secure Protocol", "severity": "MEDIUM", "line": 13, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Listeners", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Listeners.Protocol' should be set to 'SSL' or 'HTTPS'", + "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' isn't set to 'SSL' or 'HTTPS'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Without Secure Protocol", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Listeners", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Listeners.InstanceProtocol' should be set to 'SSL' or 'HTTPS'", + "actualValue": "'Resources.MyLoadBalancer.Listeners.InstanceProtocol' isn't set to 'SSL' or 'HTTPS'", + "issueType": "IncorrectValue" }, { "queryName": "ELB Without Secure Protocol", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Listeners", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Listeners.Protocol' should be set to 'SSL' or 'HTTPS'", + "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' isn't set to 'SSL' or 'HTTPS'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/test/positive_expected_result.json index b9e1a5fbe7a..73c7bd1f7be 100644 --- a/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/test/positive_expected_result.json @@ -1,38 +1,80 @@ [ { + "queryName": "Empty Roles For ECS Cluster Task Definitions", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml", - "queryName": "Empty Roles For ECS Cluster Task Definitions" + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "NoTaskDefinition", + "searchKey": "Resources.NoTaskDefinition.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoTaskDefinition.Properties.TaskDefinition' should be set", + "actualValue": "'Resources.NoTaskDefinition.Properties.TaskDefinition' is undefined", + "issueType": "MissingAttribute" }, { - "fileName": "positive1.yaml", "queryName": "Empty Roles For ECS Cluster Task Definitions", "severity": "MEDIUM", - "line": 24 + "line": 24, + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "InvalidTaskDefinition", + "searchKey": "Resources.InvalidTaskDefinition.Properties.TaskDefinition", + "searchValue": "", + "expectedValue": "'Resources.InvalidTaskDefinition.Properties.Taskdefinition' refers to a valid TaskDefinition", + "actualValue": "'Resources.InvalidTaskDefinition.Properties.Taskdefinition' does not refers to a valid TaskDefinition", + "issueType": "MissingAttribute" }, { "queryName": "Empty Roles For ECS Cluster Task Definitions", "severity": "MEDIUM", "line": 41, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "TaskNoRole", + "searchKey": "Resources.TaskNoRole.Properties.TaskDefinition", + "searchValue": "", + "expectedValue": "'Resources.TaskNoRole.Properties.TaskDefinition' refers to a TaskDefinition with Role", + "actualValue": "'Resources.TaskNoRole.Properties.TaskDefinition' does not refer to a TaskDefinition with Role", + "issueType": "IncorrectValue" }, { "queryName": "Empty Roles For ECS Cluster Task Definitions", "severity": "MEDIUM", - "line": 96, - "fileName": "positive2.json" + "line": 11, + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "InvalidTaskDefinition", + "searchKey": "Resources.InvalidTaskDefinition.Properties.TaskDefinition", + "searchValue": "", + "expectedValue": "'Resources.InvalidTaskDefinition.Properties.Taskdefinition' refers to a valid TaskDefinition", + "actualValue": "'Resources.InvalidTaskDefinition.Properties.Taskdefinition' does not refers to a valid TaskDefinition", + "issueType": "MissingAttribute" }, { "queryName": "Empty Roles For ECS Cluster Task Definitions", "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.json" + "line": 39, + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "TaskNoRole", + "searchKey": "Resources.TaskNoRole.Properties.TaskDefinition", + "searchValue": "", + "expectedValue": "'Resources.TaskNoRole.Properties.TaskDefinition' refers to a TaskDefinition with Role", + "actualValue": "'Resources.TaskNoRole.Properties.TaskDefinition' does not refer to a TaskDefinition with Role", + "issueType": "IncorrectValue" }, { "queryName": "Empty Roles For ECS Cluster Task Definitions", "severity": "MEDIUM", - "line": 39, - "fileName": "positive2.json" + "line": 96, + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "NoTaskDefinition", + "searchKey": "Resources.NoTaskDefinition.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoTaskDefinition.Properties.TaskDefinition' should be set", + "actualValue": "'Resources.NoTaskDefinition.Properties.TaskDefinition' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/test/positive_expected_result.json index 10819b82da5..0887adc229a 100644 --- a/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "EMR Cluster Without Security Configuration", "severity": "MEDIUM", "line": 18, - "fileName": "positive2.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EMR::Cluster", + "resourceName": "CFNtest2", + "searchKey": "Resources.cluster.Properties", + "searchValue": "", + "expectedValue": "Resources.cluster has the same name as the AWS::EMR::SecurityConfiguration Resource", + "actualValue": "Resources.cluster has a different name from AWS::EMR::SecurityConfiguration Resource", + "issueType": "IncorrectValue" }, { - "line": 18, - "fileName": "positive1.yaml", "queryName": "EMR Cluster Without Security Configuration", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 18, + "filename": "positive2.yaml", + "resourceType": "AWS::EMR::Cluster", + "resourceName": "CFNtest2", + "searchKey": "Resources.cluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.cluster1.Properties.SecurityConfiguration should be defined", + "actualValue": "Resources.cluster1.Properties.SecurityConfiguration is undefined", + "issueType": "MissingAttribute" }, { - "fileName": "positive3.json", "queryName": "EMR Cluster Without Security Configuration", "severity": "MEDIUM", - "line": 43 + "line": 43, + "filename": "positive3.json", + "resourceType": "AWS::EMR::Cluster", + "resourceName": "CFNtest2", + "searchKey": "Resources.cluster.Properties", + "searchValue": "", + "expectedValue": "Resources.cluster has the same name as the AWS::EMR::SecurityConfiguration Resource", + "actualValue": "Resources.cluster has a different name from AWS::EMR::SecurityConfiguration Resource", + "issueType": "IncorrectValue" }, { "queryName": "EMR Cluster Without Security Configuration", "severity": "MEDIUM", "line": 5, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EMR::Cluster", + "resourceName": "CFNtest2", + "searchKey": "Resources.cluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.cluster1.Properties.SecurityConfiguration should be defined", + "actualValue": "Resources.cluster1.Properties.SecurityConfiguration is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/test/positive_expected_result.json index 69b2e0f60fa..aa56fb9a046 100644 --- a/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/test/positive_expected_result.json @@ -3,96 +3,208 @@ "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration01.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType must be defined", + "actualValue": "Resources.EMRSecurityConfiguration01.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType is undefined", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption is false", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration04.Properties.SecurityConfiguration", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration must be defined", + "actualValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration is undefined", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration01.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType must be defined", + "actualValue": "Resources.EMRSecurityConfiguration01.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType is undefined", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption is false", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive7.json" + "filename": "positive7.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive7.json" + "filename": "positive7.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive8.json" + "filename": "positive8.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration04.Properties.SecurityConfiguration", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration must be defined", + "actualValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration is undefined", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive9.yaml" + "filename": "positive9.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false", + "issueType": "IncorrectValue" }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive9.yaml" + "filename": "positive9.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/emr_wihout_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/emr_wihout_vpc/test/positive_expected_result.json index fd870c2a4f7..08240272574 100644 --- a/assets/queries/cloudFormation/aws/emr_wihout_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/emr_wihout_vpc/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "EMR Without VPC", "severity": "LOW", "line": 23, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EMR::Cluster", + "resourceName": "CFNtest", + "searchKey": "Resources.cluster.Properties.Instances", + "searchValue": "", + "expectedValue": "Resources.cluster.Properties.Instances.Ec2SubnetId should be defined and not null", + "actualValue": "Resources.cluster.Properties.Instances.Ec2SubnetId is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EMR Without VPC", "severity": "LOW", "line": 32, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EMR::Cluster", + "resourceName": "CFNtest", + "searchKey": "Resources.cluster.Properties.Instances", + "searchValue": "", + "expectedValue": "Resources.cluster.Properties.Instances.Ec2SubnetId should be defined and not null", + "actualValue": "Resources.cluster.Properties.Instances.Ec2SubnetId is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/fully_open_ingress/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/fully_open_ingress/test/positive_expected_result.json index 152afc34c12..ea08e1b615a 100644 --- a/assets/queries/cloudFormation/aws/fully_open_ingress/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/fully_open_ingress/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Fully Open Ingress", "severity": "HIGH", "line": 19, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline", + "searchKey": "Resources.DBEC2SecurityGroupInline.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue" }, { "queryName": "Fully Open Ingress", "severity": "HIGH", "line": 23, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline", + "searchKey": "Resources.DBEC2SecurityGroupInline.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue" }, { "queryName": "Fully Open Ingress", "severity": "HIGH", "line": 37, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngress", + "searchKey": "Resources.DBEC2SecurityGroupIngress.Properties.CidrIp", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupIngress' of type 'AWS::EC2::SecurityGroupIngress' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupIngress' of type 'AWS::EC2::SecurityGroupIngress' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue" }, { "queryName": "Fully Open Ingress", "severity": "HIGH", "line": 46, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngressIPv6", + "searchKey": "Resources.DBEC2SecurityGroupIngressIPv6.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupIngressIPv6' of type 'AWS::EC2::SecurityGroupIngress' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupIngressIPv6' of type 'AWS::EC2::SecurityGroupIngress' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue" }, { "queryName": "Fully Open Ingress", "severity": "HIGH", "line": 26, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline", + "searchKey": "Resources.DBEC2SecurityGroupInline.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue" }, { "queryName": "Fully Open Ingress", "severity": "HIGH", "line": 32, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline", + "searchKey": "Resources.DBEC2SecurityGroupInline.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue" }, { "queryName": "Fully Open Ingress", "severity": "HIGH", "line": 53, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngress", + "searchKey": "Resources.DBEC2SecurityGroupIngress.Properties.CidrIp", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupIngress' of type 'AWS::EC2::SecurityGroupIngress' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupIngress' of type 'AWS::EC2::SecurityGroupIngress' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue" }, { "queryName": "Fully Open Ingress", "severity": "HIGH", "line": 65, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngressIPv6", + "searchKey": "Resources.DBEC2SecurityGroupIngressIPv6.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupIngressIPv6' of type 'AWS::EC2::SecurityGroupIngress' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupIngressIPv6' of type 'AWS::EC2::SecurityGroupIngress' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/test/positive_expected_result.json index d49354e3fdc..113880bd7c7 100644 --- a/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/test/positive_expected_result.json @@ -1,50 +1,106 @@ [ { + "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml", - "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range" + "filename": "positive1.yaml", + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource1", + "searchKey": "Resources.FleetResource1.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[0].FromPort is equal to Resources.FleetResource1.Properties.EC2InboundPermissions[0].ToPort", + "actualValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[0].FromPort is not equal to Resources.FleetResource1.Properties.EC2InboundPermissions[0].ToPort", + "issueType": "IncorrectValue" }, { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", "line": 15, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource1", + "searchKey": "Resources.FleetResource1.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[1].FromPort is equal to Resources.FleetResource1.Properties.EC2InboundPermissions[1].ToPort", + "actualValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[1].FromPort is not equal to Resources.FleetResource1.Properties.EC2InboundPermissions[1].ToPort", + "issueType": "IncorrectValue" }, { + "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", "line": 28, - "fileName": "positive1.yaml", - "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range" + "filename": "positive1.yaml", + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource3", + "searchKey": "Resources.FleetResource3.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[0].FromPort is equal to Resources.FleetResource3.Properties.EC2InboundPermissions[0].ToPort", + "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[0].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[0].ToPort", + "issueType": "IncorrectValue" }, { + "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", "line": 32, - "fileName": "positive1.yaml", - "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range" + "filename": "positive1.yaml", + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource3", + "searchKey": "Resources.FleetResource3.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[1].FromPort is equal to Resources.FleetResource3.Properties.EC2InboundPermissions[1].ToPort", + "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[1].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[1].ToPort", + "issueType": "IncorrectValue" }, { - "line": 8, - "fileName": "positive2.json", "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 8, + "filename": "positive2.json", + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource1", + "searchKey": "Resources.FleetResource1.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[0].FromPort is equal to Resources.FleetResource1.Properties.EC2InboundPermissions[0].ToPort", + "actualValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[0].FromPort is not equal to Resources.FleetResource1.Properties.EC2InboundPermissions[0].ToPort", + "issueType": "IncorrectValue" }, { + "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", "line": 14, - "fileName": "positive2.json", - "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range" + "filename": "positive2.json", + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource1", + "searchKey": "Resources.FleetResource1.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[1].FromPort is equal to Resources.FleetResource1.Properties.EC2InboundPermissions[1].ToPort", + "actualValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[1].FromPort is not equal to Resources.FleetResource1.Properties.EC2InboundPermissions[1].ToPort", + "issueType": "IncorrectValue" }, { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", "line": 39, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource3", + "searchKey": "Resources.FleetResource3.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[0].FromPort is equal to Resources.FleetResource3.Properties.EC2InboundPermissions[0].ToPort", + "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[0].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[0].ToPort", + "issueType": "IncorrectValue" }, { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", "line": 45, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource3", + "searchKey": "Resources.FleetResource3.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[1].FromPort is equal to Resources.FleetResource3.Properties.EC2InboundPermissions[1].ToPort", + "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[1].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[1].ToPort", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/geo_restriction_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/geo_restriction_disabled/test/positive_expected_result.json index 364f0f18cd3..7497ec8a7f1 100644 --- a/assets/queries/cloudFormation/aws/geo_restriction_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/geo_restriction_disabled/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { + "queryName": "Geo Restriction Disabled", "severity": "LOW", "line": 13, - "fileName": "positive1.yaml", - "queryName": "Geo Restriction Disabled" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionType", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionType should be enabled with whitelist or blacklist", + "actualValue": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionTypeallows is configured with none. Therefore, Geo Restriction is not enabled and it should be", + "issueType": "IncorrectValue" }, { "queryName": "Geo Restriction Disabled", "severity": "LOW", "line": 15, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionType", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionType should be enabled with whitelist or blacklist", + "actualValue": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionTypeallows is configured with none. Therefore, Geo Restriction is not enabled and it should be", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/github_repository_set_to_public/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/github_repository_set_to_public/test/positive_expected_result.json index 865819ed241..cadfba034a0 100644 --- a/assets/queries/cloudFormation/aws/github_repository_set_to_public/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/github_repository_set_to_public/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", "line": 12, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CodeStar::GitHubRepository", + "resourceName": "my-github-repo", + "searchKey": "Resources.MyRepo3.Properties.IsPrivate", + "searchValue": "", + "expectedValue": "'Resources.MyRepo3.Properties.IsPrivate' should be set to true", + "actualValue": "'Resources.MyRepo3.Properties.IsPrivate' is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", "line": 5, - "fileName": "positive3.json" + "filename": "positive2.yaml", + "resourceType": "AWS::CodeStar::GitHubRepository", + "resourceName": "my-github-repo", + "searchKey": "Resources.MyRepo4.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyRepo4.IsPrivate' should be set", + "actualValue": "'Resources.MyRepo4.IsPrivate' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.yaml" + "filename": "positive3.json", + "resourceType": "AWS::CodeStar::GitHubRepository", + "resourceName": "my-github-repo", + "searchKey": "Resources.MyRepo5.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyRepo5.IsPrivate' should be set", + "actualValue": "'Resources.MyRepo5.IsPrivate' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", "line": 14, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::CodeStar::GitHubRepository", + "resourceName": "my-github-repo", + "searchKey": "Resources.MyRepo6.Properties.IsPrivate", + "searchValue": "", + "expectedValue": "'Resources.MyRepo6.Properties.IsPrivate' should be set to true", + "actualValue": "'Resources.MyRepo6.Properties.IsPrivate' is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", "line": 12, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::CodeStar::GitHubRepository", + "resourceName": "my-github-repo", + "searchKey": "Resources.MyRepo3.Properties.IsPrivate", + "searchValue": "", + "expectedValue": "'Resources.MyRepo3.Properties.IsPrivate' should be set to true", + "actualValue": "'Resources.MyRepo3.Properties.IsPrivate' is not set to true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/positive_expected_result.json index 31c42b15f5e..ad8e040d586 100644 --- a/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "GuardDuty Detector Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::GuardDuty::Detector", + "resourceName": "mydetector3", + "searchKey": "Resources.mydetector3.Properties.Enable", + "searchValue": "", + "expectedValue": "Resources.mydetector3.Properties.Enable should be set to true", + "actualValue": "Resources.mydetector3.Properties.Enable is set to false", + "issueType": "IncorrectValue" }, { "queryName": "GuardDuty Detector Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::GuardDuty::Detector", + "resourceName": "mydetector4", + "searchKey": "Resources.mydetector4.Properties.Enable", + "searchValue": "", + "expectedValue": "Resources.mydetector4.Properties.Enable should be set to true", + "actualValue": "Resources.mydetector4.Properties.Enable is set to false", + "issueType": "IncorrectValue" }, { "queryName": "GuardDuty Detector Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::GuardDuty::Detector", + "resourceName": "mydetector3", + "searchKey": "Resources.mydetector3.Properties.Enable", + "searchValue": "", + "expectedValue": "Resources.mydetector3.Properties.Enable should be set to true", + "actualValue": "Resources.mydetector3.Properties.Enable is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json index 522d250589f..d985abe6bd6 100644 --- a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", "line": 10, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "LambdaFunction3", + "searchKey": "Resources.LambdaFunction3.Properties.Environment.Variables", + "searchValue": "", + "expectedValue": "Resources.LambdaFunction3.Properties.Environment.Variables shouldn't contain access key", + "actualValue": "Resources.LambdaFunction3.Properties.Environment.Variables contains access key", + "issueType": "IncorrectValue" }, { "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", "line": 10, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "LambdaFunction4", + "searchKey": "Resources.LambdaFunction4.Properties.Environment.Variables", + "searchValue": "", + "expectedValue": "Resources.LambdaFunction4.Properties.Environment.Variables shouldn't contain access key", + "actualValue": "Resources.LambdaFunction4.Properties.Environment.Variables contains access key", + "issueType": "IncorrectValue" }, { - "line": 29, - "fileName": "positive3.json", "queryName": "Hardcoded AWS Access Key In Lambda", - "severity": "HIGH" + "severity": "HIGH", + "line": 29, + "filename": "positive3.json", + "resourceType": "AWS::Lambda::Function", + "resourceName": "LambdaFunction5", + "searchKey": "Resources.LambdaFunction5.Properties.Environment.Variables", + "searchValue": "", + "expectedValue": "Resources.LambdaFunction5.Properties.Environment.Variables shouldn't contain access key", + "actualValue": "Resources.LambdaFunction5.Properties.Environment.Variables contains access key", + "issueType": "IncorrectValue" }, { "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", "line": 29, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::Lambda::Function", + "resourceName": "LambdaFunction6", + "searchKey": "Resources.LambdaFunction6.Properties.Environment.Variables", + "searchValue": "", + "expectedValue": "Resources.LambdaFunction6.Properties.Environment.Variables shouldn't contain access key", + "actualValue": "Resources.LambdaFunction6.Properties.Environment.Variables contains access key", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json index d3ef6c01790..161541151ba 100644 --- a/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json @@ -3,132 +3,286 @@ "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 38, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 51, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 63, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 79, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 31, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 40, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 49, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 10, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 25, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 46, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 61, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 76, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 97, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 14, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 26, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 38, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 50, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 62, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json index c0896937034..ed0ddfeddb5 100644 --- a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "IAM Access Analyzer Not Enabled", "severity": "LOW", "line": 3, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Resources", + "searchValue": "", + "expectedValue": "'AWS::AccessAnalyzer::Analyzer' should be set", + "actualValue": "'AWS::AccessAnalyzer::Analyzer' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM Access Analyzer Not Enabled", "severity": "LOW", "line": 4, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Resources", + "searchValue": "", + "expectedValue": "'AWS::AccessAnalyzer::Analyzer' should be set", + "actualValue": "'AWS::AccessAnalyzer::Analyzer' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/test/positive_expected_result.json index 9d7881e32ef..42ae5624f91 100644 --- a/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 19, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be true", + "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is false", + "issueType": "IncorrectValue" }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 31, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be true", + "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is false", + "issueType": "IncorrectValue" }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 13, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be defined", + "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is not defined", + "issueType": "MissingAttribute" }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be defined", + "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is not defined", + "issueType": "MissingAttribute" }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 19, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be true", + "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json index 2f42addade3..2b24b10d755 100644 --- a/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json @@ -3,216 +3,468 @@ "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 15, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.json" + "line": 22, + "filename": "positive10.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive3.yaml" + "filename": "positive11.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive4.json" + "filename": "positive12.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive5.yaml" + "line": 14, + "filename": "positive13.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 21, - "fileName": "positive6.json" + "line": 22, + "filename": "positive14.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive7.yaml" + "filename": "positive15.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 22, - "fileName": "positive8.json" + "filename": "positive16.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 14, - "fileName": "positive9.yaml" + "line": 5, + "filename": "positive17.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 22, - "fileName": "positive10.json" + "line": 6, + "filename": "positive18.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive11.yaml" + "filename": "positive19.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive12.json" + "line": 21, + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 14, - "fileName": "positive13.yaml" + "line": 6, + "filename": "positive20.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 22, - "fileName": "positive14.json" + "line": 5, + "filename": "positive21.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 14, - "fileName": "positive15.yaml" + "line": 6, + "filename": "positive22.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 22, - "fileName": "positive16.json" + "line": 15, + "filename": "positive23.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive17.yaml" + "line": 21, + "filename": "positive24.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive18.json" + "line": 15, + "filename": "positive25.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive19.yaml" + "line": 21, + "filename": "positive26.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive20.json" + "line": 14, + "filename": "positive27.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive21.yaml" + "line": 20, + "filename": "positive28.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive22.json" + "line": 14, + "filename": "positive29.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive23.yaml" + "line": 5, + "filename": "positive3.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 21, - "fileName": "positive24.json" + "line": 20, + "filename": "positive30.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 15, - "fileName": "positive25.yaml" + "filename": "positive31.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 21, - "fileName": "positive26.json" + "line": 23, + "filename": "positive32.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 14, - "fileName": "positive27.yaml" + "line": 15, + "filename": "positive33.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 20, - "fileName": "positive28.json" + "line": 23, + "filename": "positive34.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 14, - "fileName": "positive29.yaml" + "line": 5, + "filename": "positive35.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 20, - "fileName": "positive30.json" + "line": 6, + "filename": "positive36.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive31.yaml" + "line": 6, + "filename": "positive4.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 23, - "fileName": "positive32.json" + "line": 15, + "filename": "positive5.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive33.yaml" + "line": 21, + "filename": "positive6.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 23, - "fileName": "positive34.json" + "line": 14, + "filename": "positive7.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive35.yaml" + "line": 22, + "filename": "positive8.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive36.json" + "line": 14, + "filename": "positive9.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_group_without_users/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_group_without_users/test/positive_expected_result.json index f5bbc9440fb..be317625045 100644 --- a/assets/queries/cloudFormation/aws/iam_group_without_users/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_group_without_users/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "IAM Group Without Users", "severity": "MEDIUM", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Group", + "resourceName": "myuseeer", + "searchKey": "Resources.myuseeer", + "searchValue": "", + "expectedValue": "Resources.myuseeer has at least one user", + "actualValue": "Resources.myuseeer does not have at least one user", + "issueType": "IncorrectValue" }, { "queryName": "IAM Group Without Users", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::Group", + "resourceName": "myuseeer2", + "searchKey": "Resources.myuseeer2", + "searchValue": "", + "expectedValue": "Resources.myuseeer2 has at least one user", + "actualValue": "Resources.myuseeer2 does not have at least one user", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_groups_inline_policies/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_groups_inline_policies/test/positive_expected_result.json index 66be9a07df7..bf84f1baf35 100644 --- a/assets/queries/cloudFormation/aws/iam_groups_inline_policies/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_groups_inline_policies/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "IAM Group Inline Policies", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Group", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.Policies", + "searchValue": "", + "expectedValue": "'Resources.Properties.Policies' should be undefined or empty", + "actualValue": "'Resources.Properties.Policies' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "IAM Group Inline Policies", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::Group", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.Policies", + "searchValue": "", + "expectedValue": "'Resources.Properties.Policies' should be undefined or empty", + "actualValue": "'Resources.Properties.Policies' is not empty", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/test/positive_expected_result.json index 3dff9f858cc..08d578707e9 100644 --- a/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "IAM Managed Policy Applied to a User", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::ManagedPolicy", + "resourceName": "CreateTestDBPolicy", + "searchKey": "Resources.CreateTestDBPolicy.Properties.Users", + "searchValue": "", + "expectedValue": "Resources.CreateTestDBPolicy is assigned to a set of users", + "actualValue": "Resources.CreateTestDBPolicy should be assigned to a set of groups", + "issueType": "IncorrectValue" }, { "queryName": "IAM Managed Policy Applied to a User", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::ManagedPolicy", + "resourceName": "CreateTestDBPolicy", + "searchKey": "Resources.CreateTestDBPolicy.Properties.Users", + "searchValue": "", + "expectedValue": "Resources.CreateTestDBPolicy is assigned to a set of users", + "actualValue": "Resources.CreateTestDBPolicy should be assigned to a set of groups", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/test/positive_expected_result.json index a5765e9f98e..386ec8c9edd 100644 --- a/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "IAM Password Without Minimum Length", "severity": "LOW", "line": 9, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.LoginProfile.Password", + "searchValue": "", + "expectedValue": "'Resources.Properties.LoginProfile.Password' has a minimum length of 14", + "actualValue": "'Resources.Properties.LoginProfile.Password' doesn't have a minimum length of 14", + "issueType": "IncorrectValue" }, { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", "line": 10, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.LoginProfile.Password", + "searchValue": "", + "expectedValue": "'Resources.Properties.LoginProfile.Password' has a minimum length of 14", + "actualValue": "'Resources.Properties.LoginProfile.Password' doesn't have a minimum length of 14", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/test/positive_expected_result.json index 69799f5eb6f..0dc6e05b6e0 100644 --- a/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/test/positive_expected_result.json @@ -2,25 +2,53 @@ { "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", - "line": 14, - "fileName": "positive1.yaml" + "line": 10, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.ManagedPoliciesArns", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.ManagedPoliciesArns' is undefined or empty", + "actualValue": "'Resources.myuser.Properties.ManagedPoliciesArns' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", - "line": 10, - "fileName": "positive1.yaml" + "line": 14, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.Policies", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.Policies' should be undefined or empty", + "actualValue": "'Resources.myuser.Properties.Policies' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", - "line": 14, - "fileName": "positive2.json" + "line": 10, + "filename": "positive2.json", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.ManagedPoliciesArns", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.ManagedPoliciesArns' is undefined or empty", + "actualValue": "'Resources.myuser.Properties.ManagedPoliciesArns' is not empty", + "issueType": "IncorrectValue" }, { + "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", - "line": 10, - "fileName": "positive2.json", - "queryName": "IAM Policies Attached To User" + "line": 14, + "filename": "positive2.json", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.Policies", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.Policies' should be undefined or empty", + "actualValue": "'Resources.myuser.Properties.Policies' is not empty", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/test/positive_expected_result.json index 19b16708d30..c60a8fdac4b 100644 --- a/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'Resources.Properties.PolicyDocument.Statement' shouldn't contain '*'", + "actualValue": "'Resources.Properties.PolicyDocument.Statement' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 21, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy2.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'Resources.Properties.PolicyDocument.Statement' shouldn't contain '*'", + "actualValue": "'Resources.Properties.PolicyDocument.Statement' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'Resources.Properties.PolicyDocument.Statement' shouldn't contain '*'", + "actualValue": "'Resources.Properties.PolicyDocument.Statement' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 31, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy2.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'Resources.Properties.PolicyDocument.Statement' shouldn't contain '*'", + "actualValue": "'Resources.Properties.PolicyDocument.Statement' contains '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_policies_without_groups/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policies_without_groups/test/positive_expected_result.json index 8ef4a853721..b16d30a6f2d 100644 --- a/assets/queries/cloudFormation/aws/iam_policies_without_groups/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policies_without_groups/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { - "fileName": "positive1.yaml", "queryName": "IAM Policies Without Groups", "severity": "LOW", - "line": 25 + "line": 25, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.Policies.Users", + "searchValue": "", + "expectedValue": "'Resources.Properties.Policies.Users should be replaced by Groups", + "actualValue": "'Resources.Properties.Policies.Users' is not the correct definition.", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies Without Groups", "severity": "LOW", "line": 38, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.Policies.Users", + "searchValue": "", + "expectedValue": "'Resources.Properties.Policies.Users should be replaced by Groups", + "actualValue": "'Resources.Properties.Policies.Users' is not the correct definition.", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json index 8401007eb80..bd9106d0a97 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json @@ -3,72 +3,156 @@ "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "CFNUser", + "searchKey": "Resources.CFNUser.Properties.Policies.0.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.CFNUser.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.CFNUser.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [*]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 12, - "fileName": "positive2.yaml" + "line": 11, + "filename": "positive10.json", + "resourceType": "AWS::IAM::ManagedPolicy", + "resourceName": "CreateTestDBPolicy", + "searchKey": "Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' contains [s3:GetObject, ssm:GetParameter, s3:*]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 11, - "fileName": "positive3.yaml" + "filename": "positive11.json", + "resourceType": "AWS::IAM::ManagedPolicy", + "resourceName": "CreateTestDBPolicy", + "searchKey": "Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' contains [s3:*]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 12, - "fileName": "positive4.yaml" + "line": 13, + "filename": "positive12.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "CFNUsers", + "searchKey": "Resources.MyPolicy.Properties.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' contains [secretsmanager:GetSecretValue]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 9, - "fileName": "positive5.yaml" + "line": 12, + "filename": "positive2.yaml", + "resourceType": "AWS::IAM::Group", + "resourceName": "RootGroup", + "searchKey": "Resources.RootGroup.Properties.Policies.0.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.RootGroup.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.RootGroup.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [ssm:GetParameter]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 18, - "fileName": "positive6.json" + "line": 11, + "filename": "positive3.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "CFNUsers", + "searchKey": "Resources.MyPolicy.Properties.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' contains [ssm:GetParameters]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 15, - "fileName": "positive7.json" + "line": 12, + "filename": "positive4.yaml", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.Policies.0.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.RootRole.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.RootRole.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [ssm:GetParametersByPath]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 13, - "fileName": "positive8.json" + "line": 9, + "filename": "positive5.yaml", + "resourceType": "AWS::IAM::ManagedPolicy", + "resourceName": "CreateTestDBPolicy", + "searchKey": "Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' contains [s3:*]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 15, - "fileName": "positive9.json" + "line": 18, + "filename": "positive6.json", + "resourceType": "AWS::IAM::User", + "resourceName": "CFNUser", + "searchKey": "Resources.CFNUser.Properties.Policies.0.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.CFNUser.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.CFNUser.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [*]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 11, - "fileName": "positive10.json" + "line": 15, + "filename": "positive7.json", + "resourceType": "AWS::IAM::Group", + "resourceName": "RootGroup", + "searchKey": "Resources.RootGroup.Properties.Policies.0.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.RootGroup.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.RootGroup.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [s3:GetObject]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 11, - "fileName": "positive11.json" + "line": 13, + "filename": "positive8.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "CFNUsers", + "searchKey": "Resources.MyPolicy.Properties.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' contains [secretsmanager:GetSecretValue]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", - "line": 13, - "fileName": "positive12.json" + "line": 15, + "filename": "positive9.json", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.Policies.0.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.RootRole.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.RootRole.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [s3:GetObject, ssm:GetParameter, s3:*]", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json index f40195f228b..fa806a35140 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "IAM Policy Grants 'AssumeRole' Permission Across All Services", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'Resources.mypolicy.Properties.PolicyDocument.Statement' with AssumeRole action should not grant access in all services ('*')", + "actualValue": "'Resources.mypolicy.Properties.PolicyDocument.Statement' with AssumeRole action is granting access in all services ('*')", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policy Grants 'AssumeRole' Permission Across All Services", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'Resources.mypolicy.Properties.PolicyDocument.Statement' with AssumeRole action should not grant access in all services ('*')", + "actualValue": "'Resources.mypolicy.Properties.PolicyDocument.Statement' with AssumeRole action is granting access in all services ('*')", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json index 6a9932378db..3c70b097542 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' should not equal to '*'", + "actualValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' are equal to '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", "line": 21, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy2.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' should not equal to '*'", + "actualValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' are equal to '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", - "line": 29, - "fileName": "positive2.json" + "line": 9, + "filename": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy2.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' should not equal to '*'", + "actualValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' are equal to '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", - "line": 9, - "fileName": "positive2.json" + "line": 29, + "filename": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' should not equal to '*'", + "actualValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' are equal to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/iam_policy_on_user/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policy_on_user/test/positive_expected_result.json index 21015b58d99..d473369d33b 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_on_user/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policy_on_user/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "IAM Policy On User", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "BadPolicy", + "searchKey": "Resources.BadPolicy.Properties.Users", + "searchValue": "", + "expectedValue": "Resources.BadPolicy is assigned to a set of users", + "actualValue": "Resources.BadPolicy should be assigned to a set of groups", + "issueType": "IncorrectValue" }, { + "queryName": "IAM Policy On User", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.json", - "queryName": "IAM Policy On User" + "filename": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "BadPolicy", + "searchKey": "Resources.BadPolicy.Properties.Users", + "searchValue": "", + "expectedValue": "Resources.BadPolicy is assigned to a set of users", + "actualValue": "Resources.BadPolicy should be assigned to a set of groups", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json index 2781e221e62..76aaa8b9a70 100644 --- a/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "IAM Role Allows All Principals To Assume", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument.Statement.Principal.AWS should not contain ':root'", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument.Statement.Principal.AWS contains ':root'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Role Allows All Principals To Assume", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument.Statement.Principal.AWS should not contain ':root'", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument.Statement.Principal.AWS contains ':root'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/test/positive_expected_result.json index 8b39e8ea169..cc9b1f6a6a9 100644 --- a/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { + "queryName": "IAM User LoginProfile Password Is In Plaintext", "severity": "HIGH", "line": 9, - "fileName": "positive1.yaml", - "queryName": "IAM User LoginProfile Password Is In Plaintext" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.LoginProfile.Password", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.LoginProfile.Password' should be a ref to a secretsmanager value", + "actualValue": "'Resources.myuser.Properties.LoginProfile.Password' is a string literal", + "issueType": "IncorrectValue" }, { "queryName": "IAM User LoginProfile Password Is In Plaintext", "severity": "HIGH", "line": 9, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.LoginProfile.Password", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.LoginProfile.Password' should be a ref to a secretsmanager value", + "actualValue": "'Resources.myuser.Properties.LoginProfile.Password' is a string literal", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/test/positive_expected_result.json index 1ed53278e90..96fc708a1eb 100644 --- a/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/test/positive_expected_result.json @@ -2,25 +2,53 @@ { "queryName": "IAM User Has Too Many Access Keys", "severity": "MEDIUM", - "line": 14, - "fileName": "positive1.yaml" + "line": 10, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::AccessKey", + "resourceName": "firstKey", + "searchKey": "Resources.firstKey", + "searchValue": "", + "expectedValue": "'Resources.firstKey' is the only AccessKey of user 'myuser'", + "actualValue": "'Resources.firstKey' is not the only AccessKey of user 'myuser'", + "issueType": "IncorrectValue" }, { - "line": 10, - "fileName": "positive1.yaml", "queryName": "IAM User Has Too Many Access Keys", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 14, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::AccessKey", + "resourceName": "secondKey", + "searchKey": "Resources.secondKey", + "searchValue": "", + "expectedValue": "'Resources.secondKey' is the only AccessKey of user 'myuser'", + "actualValue": "'Resources.secondKey' is not the only AccessKey of user 'myuser'", + "issueType": "IncorrectValue" }, { "queryName": "IAM User Has Too Many Access Keys", "severity": "MEDIUM", - "line": 20, - "fileName": "positive2.json" + "line": 5, + "filename": "positive2.json", + "resourceType": "AWS::IAM::AccessKey", + "resourceName": "secondKey", + "searchKey": "Resources.secondKey", + "searchValue": "", + "expectedValue": "'Resources.secondKey' is the only AccessKey of user 'myuser'", + "actualValue": "'Resources.secondKey' is not the only AccessKey of user 'myuser'", + "issueType": "IncorrectValue" }, { "queryName": "IAM User Has Too Many Access Keys", "severity": "MEDIUM", - "line": 5, - "fileName": "positive2.json" + "line": 20, + "filename": "positive2.json", + "resourceType": "AWS::IAM::AccessKey", + "resourceName": "firstKey", + "searchKey": "Resources.firstKey", + "searchValue": "", + "expectedValue": "'Resources.firstKey' is the only AccessKey of user 'myuser'", + "actualValue": "'Resources.firstKey' is not the only AccessKey of user 'myuser'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/iam_user_with_no_group/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_user_with_no_group/test/positive_expected_result.json index 83c4042d6dc..3a7bbe25de9 100644 --- a/assets/queries/cloudFormation/aws/iam_user_with_no_group/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_user_with_no_group/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ { + "queryName": "IAM User With No Group", "severity": "LOW", "line": 6, - "fileName": "positive1.yaml", - "queryName": "IAM User With No Group" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "TestUser", + "searchKey": "Resources.MyUser.Properties", + "searchValue": "", + "expectedValue": "'Resources.Properties should contain Groups", + "actualValue": "'Resources.Properties' does not contain Groups", + "issueType": "MissingAttribute" }, { - "fileName": "positive2.yaml", "queryName": "IAM User With No Group", "severity": "LOW", - "line": 7 + "line": 7, + "filename": "positive2.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "TestUser", + "searchKey": "Resources.emptyGroup.Properties.Groups", + "searchValue": "", + "expectedValue": "'Resources.Properties.Groups' should contain groups", + "actualValue": "'Resources.Properties.Groups' is empty", + "issueType": "IncorrectValue" }, { "queryName": "IAM User With No Group", "severity": "LOW", "line": 5, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::IAM::User", + "resourceName": "TestUser", + "searchKey": "Resources.MyUser.Properties", + "searchValue": "", + "expectedValue": "'Resources.Properties should contain Groups", + "actualValue": "'Resources.Properties' does not contain Groups", + "issueType": "MissingAttribute" }, { "queryName": "IAM User With No Group", "severity": "LOW", "line": 8, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::IAM::User", + "resourceName": "TestUser", + "searchKey": "Resources.emptyGroup.Properties.Groups", + "searchValue": "", + "expectedValue": "'Resources.Properties.Groups' should contain groups", + "actualValue": "'Resources.Properties.Groups' is empty", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/test/positive_expected_result.json index 00a1ef6c9c0..2f2ede6a0c4 100644 --- a/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Inline Policies Are Attached To ECS Service", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "InlinePolicy", + "searchKey": "Resources.InlinePolicy.Properties.Role", + "searchValue": "", + "expectedValue": "'Resources.InlinePolicy.Properties.Role' should not refer an inline IAM Policy", + "actualValue": "'Resources.InlinePolicy.Properties.Role' refers to inline IAM Policy 'IAMPolicy'", + "issueType": "IncorrectValue" }, { "queryName": "Inline Policies Are Attached To ECS Service", "severity": "LOW", "line": 9, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "InlinePolicy", + "searchKey": "Resources.InlinePolicy.Properties.Role", + "searchValue": "", + "expectedValue": "'Resources.InlinePolicy.Properties.Role' should not refer an inline IAM Policy", + "actualValue": "'Resources.InlinePolicy.Properties.Role' refers to inline IAM Policy 'IAMPolicy'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json index 9b1a06da1f5..bdf48e71d28 100644 --- a/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json @@ -1,122 +1,262 @@ [ - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 7, - "fileName": "positive1.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 15, - "fileName": "positive1.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 7, - "fileName": "positive2.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 16, - "fileName": "positive2.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 11, - "fileName": "positive3.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 23, - "fileName": "positive3.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 11, - "fileName": "positive4.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 25, - "fileName": "positive4.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 12, - "fileName": "positive5.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 25, - "fileName": "positive5.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 12, - "fileName": "positive6.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 27, - "fileName": "positive6.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive7.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 21, - "fileName": "positive7.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive8.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 23, - "fileName": "positive8.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive9.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 22, - "fileName": "positive9.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive10.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 24, - "fileName": "positive10.json" - } + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions' should be defined with 'HttpTokens' field set to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 15, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions' should be defined with 'HttpTokens' field set to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "filename": "positive10.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 24, + "filename": "positive10.json", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 7, + "filename": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions' should be defined with 'HttpTokens' field set to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 16, + "filename": "positive2.json", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions' should be defined with 'HttpTokens' field set to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 11, + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 23, + "filename": "positive3.yaml", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 11, + "filename": "positive4.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 25, + "filename": "positive4.json", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 12, + "filename": "positive5.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 25, + "filename": "positive5.yaml", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 12, + "filename": "positive6.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 27, + "filename": "positive6.json", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "filename": "positive7.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 21, + "filename": "positive7.yaml", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "filename": "positive8.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 23, + "filename": "positive8.json", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "filename": "positive9.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 22, + "filename": "positive9.yaml", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/cloudFormation/aws/instance_with_no_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/instance_with_no_vpc/test/positive_expected_result.json index 3def28cba7c..9ef3ce0e586 100644 --- a/assets/queries/cloudFormation/aws/instance_with_no_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/instance_with_no_vpc/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ { - "line": 21, - "fileName": "positive1.yaml", "queryName": "Instance With No VPC", - "severity": "LOW" + "severity": "LOW", + "line": 21, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Subnet", + "resourceName": "${AWS::StackName}-Public-A", + "searchKey": "Resources.PublicSubnetA.Properties", + "searchValue": "", + "expectedValue": "Resources.PublicSubnetA.Properties.VpcId should be defined", + "actualValue": "Resources.PublicSubnetA.Properties.VpcId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Instance With No VPC", "severity": "LOW", "line": 4, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Ec2Instance-02", + "searchKey": "Resources.Ec2Instance-02.Properties", + "searchValue": "", + "expectedValue": "Resources.Ec2Instance-02.Properties.NetworkInterfaces should be defined", + "actualValue": "Resources.Ec2Instance-02.Properties.NetworkInterfaces is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Instance With No VPC", "severity": "LOW", "line": 35, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::Subnet", + "resourceName": "${AWS::StackName}-Public-A", + "searchKey": "Resources.PublicSubnetA.Properties", + "searchValue": "", + "expectedValue": "Resources.PublicSubnetA.Properties.VpcId should be defined", + "actualValue": "Resources.PublicSubnetA.Properties.VpcId is undefined", + "issueType": "MissingAttribute" }, { - "fileName": "positive4.json", "queryName": "Instance With No VPC", "severity": "LOW", - "line": 5 + "line": 5, + "filename": "positive4.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Ec2Instance-02", + "searchKey": "Resources.Ec2Instance-02.Properties", + "searchValue": "", + "expectedValue": "Resources.Ec2Instance-02.Properties.NetworkInterfaces should be defined", + "actualValue": "Resources.Ec2Instance-02.Properties.NetworkInterfaces is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/test/positive_expected_result.json index b87c98cc150..1bd0f07b23d 100644 --- a/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "IoT Policy Allows Action as Wildcard", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IoT::Policy", + "resourceName": "PolicyName", + "searchKey": "Resources.IoTPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Action should not be '*'", + "actualValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Action is '*'", + "issueType": "IncorrectValue" }, { "queryName": "IoT Policy Allows Action as Wildcard", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IoT::Policy", + "resourceName": "PolicyName", + "searchKey": "Resources.IoTPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Action should not be '*'", + "actualValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Action is '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/test/positive_expected_result.json index f424cf92b1d..59575b4b45a 100644 --- a/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "IoT Policy Allows Wildcard Resource", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IoT::Policy", + "resourceName": "PolicyName", + "searchKey": "Resources.IoTPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Resource should not be '*'", + "actualValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Recource is '*'", + "issueType": "IncorrectValue" }, { "queryName": "IoT Policy Allows Wildcard Resource", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IoT::Policy", + "resourceName": "PolicyName", + "searchKey": "Resources.IoTPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Resource should not be '*'", + "actualValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Recource is '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/test/positive_expected_result.json index ff15c193abc..ecf65f298d4 100644 --- a/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/test/positive_expected_result.json @@ -2,37 +2,79 @@ { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 26, - "fileName": "positive1.yaml" + "line": 8, + "filename": "positive1.yaml", + "resourceType": "AWS::Kinesis::Stream", + "resourceName": "EventStream", + "searchKey": "Resources.EventStream1.Properties.StreamEncryption", + "searchValue": "KeyId", + "expectedValue": "Resources.EventStream1.Properties.StreamEncryption.KeyId should be set", + "actualValue": "Resources.EventStream1.Properties.StreamEncryption.KeyId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", "line": 19, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Kinesis::Stream", + "resourceName": "EventStream", + "searchKey": "Resources.EventStream2.Properties.StreamEncryption", + "searchValue": "EncryptionType", + "expectedValue": "Resources.EventStream2.Properties.StreamEncryption.EncryptionType should be set", + "actualValue": "Resources.EventStream2.Properties.StreamEncryption.EncryptionType is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 8, - "fileName": "positive1.yaml" + "line": 26, + "filename": "positive1.yaml", + "resourceType": "AWS::Kinesis::Stream", + "resourceName": "EventStream", + "searchKey": "Resources.EventStream3.Properties", + "searchValue": "", + "expectedValue": "Resources.EventStream3.Properties.StreamEncryption should be set", + "actualValue": "Resources.EventStream3.Properties.StreamEncryption is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 39, - "fileName": "positive2.json" + "line": 9, + "filename": "positive2.json", + "resourceType": "AWS::Kinesis::Stream", + "resourceName": "EventStream", + "searchKey": "Resources.EventStream1.Properties.StreamEncryption", + "searchValue": "KeyId", + "expectedValue": "Resources.EventStream1.Properties.StreamEncryption.KeyId should be set", + "actualValue": "Resources.EventStream1.Properties.StreamEncryption.KeyId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", "line": 26, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::Kinesis::Stream", + "resourceName": "EventStream", + "searchKey": "Resources.EventStream2.Properties.StreamEncryption", + "searchValue": "EncryptionType", + "expectedValue": "Resources.EventStream2.Properties.StreamEncryption.EncryptionType should be set", + "actualValue": "Resources.EventStream2.Properties.StreamEncryption.EncryptionType is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 9, - "fileName": "positive2.json" + "line": 39, + "filename": "positive2.json", + "resourceType": "AWS::Kinesis::Stream", + "resourceName": "EventStream", + "searchKey": "Resources.EventStream3.Properties", + "searchValue": "", + "expectedValue": "Resources.EventStream3.Properties.StreamEncryption should be set", + "actualValue": "Resources.EventStream3.Properties.StreamEncryption is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/test/positive_expected_result.json index e65793703d9..6b1a8e98519 100644 --- a/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "KMS Allows Wildcard Principal", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.KeyPolicy", + "searchValue": "", + "expectedValue": "Resources.myKey.Properties.KeyPolicy.Statement should not be '*'", + "actualValue": "Resources.myKey.Properties.KeyPolicy.Statement is '*'", + "issueType": "IncorrectValue" }, { "queryName": "KMS Allows Wildcard Principal", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.KeyPolicy", + "searchValue": "", + "expectedValue": "Resources.myKey.Properties.KeyPolicy.Statement should not be '*'", + "actualValue": "Resources.myKey.Properties.KeyPolicy.Statement is '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json index 4482b431b9a..8435be7dfda 100644 --- a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "Resources.myKey.Properties.EnableKeyRotation should not be 'true'", + "actualValue": "Resources.myKey.Properties.EnableKeyRotation is true", + "issueType": "IncorrectValue" }, { "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", "line": 51, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "Resources.myKey2.Properties.EnableKeyRotation should be defined", + "actualValue": "Resources.myKey2.Properties.EnableKeyRotation is undefined", + "issueType": "MissingAttribute" }, { "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", "line": 60, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "Resources.myKey.Properties.EnableKeyRotation should not be 'true'", + "actualValue": "Resources.myKey.Properties.EnableKeyRotation is true", + "issueType": "IncorrectValue" }, { "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", "line": 65, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "Resources.myKey2.Properties.EnableKeyRotation should be defined", + "actualValue": "Resources.myKey2.Properties.EnableKeyRotation is undefined", + "issueType": "MissingAttribute" }, { "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "Resources.myKey.Properties.EnableKeyRotation should not be 'true'", + "actualValue": "Resources.myKey.Properties.EnableKeyRotation is true", + "issueType": "IncorrectValue" }, { "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", "line": 51, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "Resources.myKey2.Properties.EnableKeyRotation should be defined", + "actualValue": "Resources.myKey2.Properties.EnableKeyRotation is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/test/positive_expected_result.json index 93317fe9f38..305d6958395 100644 --- a/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", "line": 9, - "fileName": "positive.json" + "filename": "positive.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "RSASigningKey", + "searchKey": "Resources.RSASigningKey.Properties.KeyPolicy", + "searchValue": "", + "expectedValue": "Resources.RSASigningKey.Properties.KeyPolicy.Statement should not have wildcard in 'Action' and 'Principal'", + "actualValue": "Resources.RSASigningKey.Properties.KeyPolicy.Statement has wildcard in 'Action' and 'Principal'", + "issueType": "IncorrectValue" }, { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", "line": 8, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "RSASigningKey", + "searchKey": "Resources.RSASigningKey.Properties.KeyPolicy", + "searchValue": "", + "expectedValue": "Resources.RSASigningKey.Properties.KeyPolicy.Statement should not have wildcard in 'Action' and 'Principal'", + "actualValue": "Resources.RSASigningKey.Properties.KeyPolicy.Statement has wildcard in 'Action' and 'Principal'", + "issueType": "IncorrectValue" }, { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", "line": 5, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "RSASigningKey2", + "searchKey": "Resources.RSASigningKey2.Properties", + "searchValue": "", + "expectedValue": "Resources.RSASigningKey2.Properties.KeyPolicy should be defined and not null", + "actualValue": "Resources.RSASigningKey2.Properties.KeyPolicy is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", "line": 4, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "RSASigningKey2", + "searchKey": "Resources.RSASigningKey2.Properties", + "searchValue": "", + "expectedValue": "Resources.RSASigningKey2.Properties.KeyPolicy should be defined and not null", + "actualValue": "Resources.RSASigningKey2.Properties.KeyPolicy is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json index dbc5630f0cc..c9c00498385 100644 --- a/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Function", + "searchKey": "Resources.Function.Properties", + "searchValue": "", + "expectedValue": "'Resources.Function.Properties.DeadLetterConfig' should be defined and not null", + "actualValue": "'Resources.Function.Properties.DeadLetterConfig' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", "line": 6, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Function2", + "searchKey": "Resources.Function2.Properties", + "searchValue": "", + "expectedValue": "'Resources.Function2.Properties.DeadLetterConfig' should be defined and not null", + "actualValue": "'Resources.Function2.Properties.DeadLetterConfig' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", "line": 27, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Function2", + "searchKey": "Resources.Function2.Properties.DeadLetterConfig", + "searchValue": "", + "expectedValue": "'Resources.Function2.Properties.DeadLetterConfig.TargetArn' should be defined and not null", + "actualValue": "'Resources.Function2.Properties.DeadLetterConfig.TargetArn' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/lambda_function_without_tags/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_function_without_tags/test/positive_expected_result.json index 544806fff4a..41b62dfa19f 100644 --- a/assets/queries/cloudFormation/aws/lambda_function_without_tags/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_function_without_tags/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Lambda Function Without Tags", "severity": "LOW", "line": 52, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "AppendItemToListFunction", + "searchKey": "Resources.AppendItemToListFunction.Properties", + "searchValue": "", + "expectedValue": "'Resources.AppendItemToListFunction.Properties.Tags' should be defined", + "actualValue": "'Resources.AppendItemToListFunction.Properties.Tags' is undefined", + "issueType": "MissingAttribute" }, { - "fileName": "positive2.json", "queryName": "Lambda Function Without Tags", "severity": "LOW", - "line": 75 + "line": 75, + "filename": "positive2.json", + "resourceType": "AWS::Lambda::Function", + "resourceName": "AppendItemToListFunction", + "searchKey": "Resources.AppendItemToListFunction.Properties", + "searchValue": "", + "expectedValue": "'Resources.AppendItemToListFunction.Properties.Tags' should be defined", + "actualValue": "'Resources.AppendItemToListFunction.Properties.Tags' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/test/positive_expected_result.json index d6b555c562e..412fafddc5d 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Lambda Functions With Full Privileges", "severity": "HIGH", "line": 76, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "AppendItemToListFunction", + "searchKey": "Resources.LambdaExecutionRole.Properties.Policies.PolicyDocument", + "searchValue": "AppendItemToListFunction", + "expectedValue": "Resources.LambdaExecutionRole.Properties.Policies[root].PolicyDocument should not give admin privileges to Resources.AppendItemToListFunction ", + "actualValue": "Resources.LambdaExecutionRole.Properties.Policies[root].PolicyDocument gives admin privileges to Resources.AppendItemToListFunction ", + "issueType": "IncorrectValue" }, { + "queryName": "Lambda Functions With Full Privileges", "severity": "HIGH", "line": 101, - "fileName": "positive2.json", - "queryName": "Lambda Functions With Full Privileges" + "filename": "positive2.json", + "resourceType": "AWS::Lambda::Function", + "resourceName": "AppendItemToListFunction", + "searchKey": "Resources.LambdaExecutionRole.Properties.Policies.PolicyDocument", + "searchValue": "AppendItemToListFunction", + "expectedValue": "Resources.LambdaExecutionRole.Properties.Policies[root].PolicyDocument should not give admin privileges to Resources.AppendItemToListFunction ", + "actualValue": "Resources.LambdaExecutionRole.Properties.Policies[root].PolicyDocument gives admin privileges to Resources.AppendItemToListFunction ", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/test/positive_expected_result.json index ca510107e97..450f6683166 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ { + "queryName": "Lambda Functions Without Unique IAM Roles", "severity": "HIGH", "line": 8, - "fileName": "positive1.yaml", - "queryName": "Lambda Functions Without Unique IAM Roles" + "filename": "positive1.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Primer01", + "searchKey": "Resources.Primer01.Properties.Role", + "searchValue": "", + "expectedValue": "Each AWS Lambda Function has a unique role", + "actualValue": "Resource.Primer01.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue" }, { + "queryName": "Lambda Functions Without Unique IAM Roles", "severity": "HIGH", "line": 41, - "fileName": "positive1.yaml", - "queryName": "Lambda Functions Without Unique IAM Roles" + "filename": "positive1.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Primer02", + "searchKey": "Resources.Primer02.Properties.Role", + "searchValue": "", + "expectedValue": "Each AWS Lambda Function has a unique role", + "actualValue": "Resource.Primer02.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue" }, { - "line": 7, - "fileName": "positive2.json", "queryName": "Lambda Functions Without Unique IAM Roles", - "severity": "HIGH" + "severity": "HIGH", + "line": 7, + "filename": "positive2.json", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Primer01", + "searchKey": "Resources.Primer01.Properties.Role", + "searchValue": "", + "expectedValue": "Each AWS Lambda Function has a unique role", + "actualValue": "Resource.Primer01.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue" }, { - "fileName": "positive2.json", "queryName": "Lambda Functions Without Unique IAM Roles", "severity": "HIGH", - "line": 24 + "line": 24, + "filename": "positive2.json", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Primer02", + "searchKey": "Resources.Primer02.Properties.Role", + "searchValue": "", + "expectedValue": "Each AWS Lambda Function has a unique role", + "actualValue": "Resource.Primer02.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json index a6e44bfe9dd..af0839d3d98 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ { - "line": 37, - "fileName": "positive1.yaml", "queryName": "Lambda Functions Without X-Ray Tracing", - "severity": "LOW" + "severity": "LOW", + "line": 37, + "filename": "positive1.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "primer", + "searchKey": "Resources.primer.Properties.TracingConfig.Mode", + "searchValue": "", + "expectedValue": "TracingConfig.Mode should be set to 'Active'", + "actualValue": "TracingConfig.Mode is set to 'PassThrough'", + "issueType": "IncorrectValue" }, { "queryName": "Lambda Functions Without X-Ray Tracing", "severity": "LOW", "line": 4, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Function", + "searchKey": "Resources.Function.Properties", + "searchValue": "", + "expectedValue": "Property 'TracingConfig' should be defined", + "actualValue": "Property 'TracingConfig' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Lambda Functions Without X-Ray Tracing", "severity": "LOW", "line": 16, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::Lambda::Function", + "resourceName": "primer", + "searchKey": "Resources.primer.Properties.TracingConfig.Mode", + "searchValue": "", + "expectedValue": "TracingConfig.Mode should be set to 'Active'", + "actualValue": "TracingConfig.Mode is set to 'PassThrough'", + "issueType": "IncorrectValue" }, { "queryName": "Lambda Functions Without X-Ray Tracing", "severity": "LOW", "line": 4, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Function", + "searchKey": "Resources.Function.Properties", + "searchValue": "", + "expectedValue": "Property 'TracingConfig' should be defined", + "actualValue": "Property 'TracingConfig' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/test/positive_expected_result.json index f513240e9e9..f6a1b378caa 100644 --- a/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Lambda Permission Misconfigured", "severity": "LOW", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Lambda::Permission", + "resourceName": "s3Permission", + "searchKey": "Resources.s3Permission.Properties.Action", + "searchValue": "", + "expectedValue": "'Resources.s3Permission.Properties.Action' should be lambda:InvokeFunction ", + "actualValue": "'Resources.s3Permission.Properties.Action' is not lambda:InvokeFunction", + "issueType": "IncorrectValue" }, { - "line": 8, - "fileName": "positive2.json", "queryName": "Lambda Permission Misconfigured", - "severity": "LOW" + "severity": "LOW", + "line": 8, + "filename": "positive2.json", + "resourceType": "AWS::Lambda::Permission", + "resourceName": "s3Permission", + "searchKey": "Resources.s3Permission.Properties.Action", + "searchValue": "", + "expectedValue": "'Resources.s3Permission.Properties.Action' should be lambda:InvokeFunction ", + "actualValue": "'Resources.s3Permission.Properties.Action' is not lambda:InvokeFunction", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json index 29464280e4e..b65e15a2363 100644 --- a/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { - "line": 9, - "fileName": "positive1.yaml", "queryName": "Lambda Permission Principal Is Wildcard", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 9, + "filename": "positive1.yaml", + "resourceType": "AWS::Lambda::Permission", + "resourceName": "s3Permission", + "searchKey": "Resources.s3Permission.Properties.Principal", + "searchValue": "", + "expectedValue": "Resources.s3Permission.Properties.Principal should not be wildcard", + "actualValue": "Resources.s3Permission.Properties.Principal is wildcard", + "issueType": "IncorrectValue" }, { + "queryName": "Lambda Permission Principal Is Wildcard", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.json", - "queryName": "Lambda Permission Principal Is Wildcard" + "filename": "positive2.json", + "resourceType": "AWS::Lambda::Permission", + "resourceName": "s3Permission", + "searchKey": "Resources.s3Permission.Properties.Principal", + "searchValue": "", + "expectedValue": "Resources.s3Permission.Properties.Principal should not be wildcard", + "actualValue": "Resources.s3Permission.Properties.Principal is wildcard", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/test/positive_expected_result.json index 623b33cff0b..bfdaddba3a5 100644 --- a/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/test/positive_expected_result.json @@ -1,50 +1,106 @@ [ { - "line": 52, - "fileName": "positive1.yaml", "queryName": "Low RDS Backup Retention Period", - "severity": "LOW" + "severity": "LOW", + "line": 52, + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "DatabaseCluster", + "searchKey": "Resources.DatabaseCluster.Properties.BackupRetentionPeriod", + "searchValue": "", + "expectedValue": "The RDS DBCluster 'DatabaseCluster' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBCluster 'DatabaseCluster' resource has backup retention period of '%!s(int=3)' which is less than the minimum of 7 days", + "issueType": "IncorrectValue" }, { - "fileName": "positive4.yaml", "queryName": "Low RDS Backup Retention Period", "severity": "LOW", - "line": 43 + "line": 35, + "filename": "positive2.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.BackupRetentionPeriod", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'MyDBSmall' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBCluster 'MyDBSmall' resource has backup retention period of '%!s(int=6)' which is less than the minimum of 7 days, and no RDS Cluster are defined", + "issueType": "IncorrectValue" }, { "queryName": "Low RDS Backup Retention Period", "severity": "LOW", "line": 22, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'MyDB' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBInstance 'MyDB' resource doesn't define a backup retention period and no RDS Cluster are defined", + "issueType": "IncorrectValue" }, { "queryName": "Low RDS Backup Retention Period", "severity": "LOW", - "line": 35, - "fileName": "positive2.yaml" + "line": 43, + "filename": "positive4.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "BadDatabaseCluster", + "searchKey": "Resources.BadDatabaseCluster.Properties", + "searchValue": "", + "expectedValue": "The RDS DBCluster 'BadDatabaseCluster' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBCluster 'BadDatabaseCluster' resource doesn't define a backup retention period", + "issueType": "MissingAttribute" }, { "queryName": "Low RDS Backup Retention Period", "severity": "LOW", "line": 113, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "DatabaseCluster", + "searchKey": "Resources.DatabaseCluster.Properties.BackupRetentionPeriod", + "searchValue": "", + "expectedValue": "The RDS DBCluster 'DatabaseCluster' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBCluster 'DatabaseCluster' resource has backup retention period of '%!s(int=3)' which is less than the minimum of 7 days", + "issueType": "IncorrectValue" }, { "queryName": "Low RDS Backup Retention Period", "severity": "LOW", "line": 55, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.BackupRetentionPeriod", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'MyDBSmall' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBCluster 'MyDBSmall' resource has backup retention period of '%!s(int=6)' which is less than the minimum of 7 days, and no RDS Cluster are defined", + "issueType": "IncorrectValue" }, { "queryName": "Low RDS Backup Retention Period", "severity": "LOW", "line": 26, - "fileName": "positive7.json" + "filename": "positive7.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'MyDB' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBInstance 'MyDB' resource doesn't define a backup retention period and no RDS Cluster are defined", + "issueType": "IncorrectValue" }, { "queryName": "Low RDS Backup Retention Period", "severity": "LOW", "line": 54, - "fileName": "positive8.json" + "filename": "positive8.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "BadDatabaseCluster", + "searchKey": "Resources.BadDatabaseCluster.Properties", + "searchValue": "", + "expectedValue": "The RDS DBCluster 'BadDatabaseCluster' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBCluster 'BadDatabaseCluster' resource doesn't define a backup retention period", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json index 501f3544d25..f4ff73b71e2 100644 --- a/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "MQ Broker Is Publicly Accessible", "severity": "HIGH", "line": 15, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "Resources.BasicBroker.Properties.PubliclyAccessible should be set to false or undefined", + "actualValue": "Resources.BasicBroker.Properties.PubliclyAccessible is true", + "issueType": "IncorrectValue" }, { "queryName": "MQ Broker Is Publicly Accessible", "severity": "HIGH", "line": 31, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker2.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "Resources.BasicBroker2.Properties.PubliclyAccessible should be set to false or undefined", + "actualValue": "Resources.BasicBroker2.Properties.PubliclyAccessible is true", + "issueType": "IncorrectValue" }, { "queryName": "MQ Broker Is Publicly Accessible", "severity": "HIGH", "line": 15, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "Resources.BasicBroker.Properties.PubliclyAccessible should be set to false or undefined", + "actualValue": "Resources.BasicBroker.Properties.PubliclyAccessible is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/test/positive_expected_result.json index 6445a0adcc4..27a5ff67e2c 100644 --- a/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/test/positive_expected_result.json @@ -3,90 +3,195 @@ "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker3.Properties.Logs", + "searchValue": "", + "expectedValue": "Resources.BasicBroker3.Properties.Logs.Audit should be set", + "actualValue": "Resources.BasicBroker3.Properties.Logs.Audit is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 42, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker4.Properties.Logs", + "searchValue": "", + "expectedValue": "Resources.BasicBroker4.Properties.Logs.General should be set", + "actualValue": "Resources.BasicBroker4.Properties.Logs.General is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 63, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker5.Properties.Logs.General", + "searchValue": "", + "expectedValue": "Resources.BasicBroker5.Properties.Logs.General is true", + "actualValue": "Resources.BasicBroker5.Properties.Logs.General is false", + "issueType": "IncorrectValue" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 84, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker6.Properties.Logs.Audit", + "searchValue": "", + "expectedValue": "Resources.BasicBroker6.Properties.Logs.Audit is true", + "actualValue": "Resources.BasicBroker6.Properties.Logs.Audit is false", + "issueType": "IncorrectValue" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 88, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker7.Properties", + "searchValue": "", + "expectedValue": "Resources.BasicBroker7.Properties.Logs should be set", + "actualValue": "Resources.BasicBroker7.Properties.Logs is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 28, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker8.Properties.Logs", + "searchValue": "", + "expectedValue": "Resources.BasicBroker8.Properties.Logs.Audit should be set", + "actualValue": "Resources.BasicBroker8.Properties.Logs.Audit is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 56, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker9.Properties.Logs", + "searchValue": "", + "expectedValue": "Resources.BasicBroker9.Properties.Logs.General should be set", + "actualValue": "Resources.BasicBroker9.Properties.Logs.General is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 85, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker10.Properties.Logs.General", + "searchValue": "", + "expectedValue": "Resources.BasicBroker10.Properties.Logs.General is true", + "actualValue": "Resources.BasicBroker10.Properties.Logs.General is false", + "issueType": "IncorrectValue" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 115, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker11.Properties.Logs.Audit", + "searchValue": "", + "expectedValue": "Resources.BasicBroker11.Properties.Logs.Audit is true", + "actualValue": "Resources.BasicBroker11.Properties.Logs.Audit is false", + "issueType": "IncorrectValue" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 121, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker12.Properties", + "searchValue": "", + "expectedValue": "Resources.BasicBroker12.Properties.Logs should be set", + "actualValue": "Resources.BasicBroker12.Properties.Logs is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 22, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker3.Properties.Logs", + "searchValue": "", + "expectedValue": "Resources.BasicBroker3.Properties.Logs.Audit should be set", + "actualValue": "Resources.BasicBroker3.Properties.Logs.Audit is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 42, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker4.Properties.Logs", + "searchValue": "", + "expectedValue": "Resources.BasicBroker4.Properties.Logs.General should be set", + "actualValue": "Resources.BasicBroker4.Properties.Logs.General is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 63, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker5.Properties.Logs.General", + "searchValue": "", + "expectedValue": "Resources.BasicBroker5.Properties.Logs.General is true", + "actualValue": "Resources.BasicBroker5.Properties.Logs.General is false", + "issueType": "IncorrectValue" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 84, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker6.Properties.Logs.Audit", + "searchValue": "", + "expectedValue": "Resources.BasicBroker6.Properties.Logs.Audit is true", + "actualValue": "Resources.BasicBroker6.Properties.Logs.Audit is false", + "issueType": "IncorrectValue" }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 88, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker7.Properties", + "searchValue": "", + "expectedValue": "Resources.BasicBroker7.Properties.Logs should be set", + "actualValue": "Resources.BasicBroker7.Properties.Logs is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json index fcc5009075f..36a176e2b44 100644 --- a/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "MSK Broker Is Publicly Accessible", "severity": "HIGH", "line": 18, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type", + "searchValue": "", + "expectedValue": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type should be set to 'DISABLED' or undefined", + "actualValue": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type is set to 'SERVICE_PROVIDED_EIPS'", + "issueType": "IncorrectValue" }, { "queryName": "MSK Broker Is Publicly Accessible", "severity": "HIGH", "line": 15, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type", + "searchValue": "", + "expectedValue": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type should be set to 'DISABLED' or undefined", + "actualValue": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type is set to 'SERVICE_PROVIDED_EIPS'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json index 22713f3e118..6365d1eaae8 100644 --- a/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json @@ -1,38 +1,80 @@ [ { + "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", "line": 5, - "fileName": "positive1.yaml", - "queryName": "MSK Cluster Encryption Disabled" + "filename": "positive1.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithAllProperties", + "searchKey": "Resources.TestCluster5.Properties", + "searchValue": "", + "expectedValue": "Resources.TestCluster5.Properties.EncryptionInfo should be defined", + "actualValue": "Resources.TestCluster5.Properties.EncryptionInfo is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 6, - "fileName": "positive4.json" + "line": 14, + "filename": "positive2.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithAllProperties", + "searchKey": "Resources.TestCluster6.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker", + "searchValue": "", + "expectedValue": "Resources.TestCluster6.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker is 'TLS'", + "actualValue": "Resources.TestCluster6.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker is not 'TLS'", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", "line": 14, - "fileName": "positive2.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithAllProperties", + "searchKey": "Resources.TestCluster7.Properties.EncryptionInfo.EncryptionInTransit.InCluster", + "searchValue": "", + "expectedValue": "Resources.TestCluster7.Properties.EncryptionInfo.EncryptionInTransit.InCluster is 'true'", + "actualValue": "Resources.TestCluster7.Properties.EncryptionInfo.EncryptionInTransit.InCluster is 'false'", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 16, - "fileName": "positive5.json" + "line": 6, + "filename": "positive4.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithAllProperties", + "searchKey": "Resources.TestCluster8.Properties", + "searchValue": "", + "expectedValue": "Resources.TestCluster8.Properties.EncryptionInfo should be defined", + "actualValue": "Resources.TestCluster8.Properties.EncryptionInfo is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 14, - "fileName": "positive3.yaml" + "line": 16, + "filename": "positive5.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithAllProperties", + "searchKey": "Resources.TestCluster9.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker", + "searchValue": "", + "expectedValue": "Resources.TestCluster9.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker is 'TLS'", + "actualValue": "Resources.TestCluster9.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker is not 'TLS'", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", "line": 16, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithAllProperties", + "searchKey": "Resources.TestCluster10.Properties.EncryptionInfo.EncryptionInTransit.InCluster", + "searchValue": "", + "expectedValue": "Resources.TestCluster10.Properties.EncryptionInfo.EncryptionInTransit.InCluster is 'true'", + "actualValue": "Resources.TestCluster10.Properties.EncryptionInfo.EncryptionInTransit.InCluster is 'false'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/test/positive_expected_result.json index 18936d80396..cbf56d2a642 100644 --- a/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/test/positive_expected_result.json @@ -3,78 +3,169 @@ "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster5.Properties", + "searchValue": "", + "expectedValue": "Resources.TestCluster5.Properties.LoggingInfo should be defined", + "actualValue": "Resources.TestCluster5.Properties.LoggingInfo is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 15, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.Firehose.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.S3.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 12, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster7.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster7.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster7.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster8.Properties", + "searchValue": "", + "expectedValue": "Resources.TestCluster8.Properties.LoggingInfo should be defined", + "actualValue": "Resources.TestCluster8.Properties.LoggingInfo is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 13, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 17, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs.Firehose.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 21, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs.S3.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 13, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster10.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster10.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster10.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 12, - "fileName": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 15, - "fileName": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.Firehose.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.S3.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json index f51982aed87..c1d560c5676 100644 --- a/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster", + "searchKey": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled should be set to true", + "actualValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", "line": 12, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster2", + "searchKey": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled should be set to true", + "actualValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", "line": 8, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster", + "searchKey": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled should be set to true", + "actualValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", "line": 15, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster2", + "searchKey": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled should be set to true", + "actualValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", "line": 7, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster", + "searchKey": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled should be set to true", + "actualValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", "line": 12, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster2", + "searchKey": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled should be set to true", + "actualValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json index 56c1ab81ab8..8e831b80a2f 100644 --- a/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", "line": 27, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster", + "searchKey": "Resources.NeptuneDBCluster.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted should be set to True", + "actualValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted is False", + "issueType": "IncorrectValue" }, { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", "line": 21, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster", + "searchKey": "Resources.NeptuneDBCluster.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted should be set to True", + "actualValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted is False", + "issueType": "IncorrectValue" }, { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", "line": 27, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster", + "searchKey": "Resources.NeptuneDBCluster.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted should be set to True", + "actualValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted is False", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json index f6adaa3e926..88cb9299bb5 100644 --- a/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties' should have 'EnableCloudwatchLogsExports' enabled ", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 5, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties' should have 'EnableCloudwatchLogsExports' enabled ", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 7, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties' should have 'EnableCloudwatchLogsExports' enabled ", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' is set to null", + "issueType": "IncorrectValue" }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 7, - "filename": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 7, - "filename": "positive8.yaml" + "filename": "positive8.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/test/positive_expected_result.json index 9432662c2fc..600838e3d1b 100644 --- a/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { - "line": 11, - "fileName": "positive1.yaml", "queryName": "Public Lambda via API Gateway", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "AWS::Lambda::Permission", + "resourceName": "s3Permission3", + "searchKey": "Resources.s3Permission3.Properties.SourceArn", + "searchValue": "", + "expectedValue": "Resources.s3Permission3.Properties.SourceArn should not equal to '/*/*'", + "actualValue": "Resources.s3Permission3.Properties.SourceArn is equal to '/*/*' or contains '/*/*'", + "issueType": "IncorrectValue" }, { - "line": 18, - "fileName": "positive2.json", "queryName": "Public Lambda via API Gateway", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 18, + "filename": "positive2.json", + "resourceType": "AWS::Lambda::Permission", + "resourceName": "s3Permission", + "searchKey": "Resources.s3Permission.Properties.SourceArn", + "searchValue": "", + "expectedValue": "Resources.s3Permission.Properties.SourceArn should not equal to '/*/*'", + "actualValue": "Resources.s3Permission.Properties.SourceArn is equal to '/*/*' or contains '/*/*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/test/positive_expected_result.json index 7f80c9865ef..50bff9259db 100644 --- a/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "RDS Associated with Public Subnet", "severity": "CRITICAL", "line": 12, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "Positive1", + "searchKey": "Resources.Positive1.Properties.DBSubnetGroupName", + "searchValue": "", + "expectedValue": "RDS should not be running in a public subnet", + "actualValue": "RDS is running in a public subnet", + "issueType": "IncorrectValue" }, { "queryName": "RDS Associated with Public Subnet", "severity": "CRITICAL", "line": 9, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "Positive1", + "searchKey": "Resources.Positive1.Properties.DBSubnetGroupName", + "searchValue": "", + "expectedValue": "RDS should not be running in a public subnet", + "actualValue": "RDS is running in a public subnet", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index 8ab4a9e49bc..d9a55a74dd3 100644 --- a/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 69, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.PubliclyAccessible' should be set to false", + "actualValue": "'Resources.MyDB.Properties.PubliclyAccessible' is set to true", + "issueType": "IncorrectValue" }, { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 61, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.PubliclyAccessible' should be set to false", + "actualValue": "'Resources.MyDB.Properties.PubliclyAccessible' is set to true", + "issueType": "IncorrectValue" }, { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 69, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.PubliclyAccessible' should be set to false", + "actualValue": "'Resources.MyDB.Properties.PubliclyAccessible' is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/test/positive_expected_result.json index af7ef58369f..fa29192f3f8 100644 --- a/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "RDS DB Instance With Deletion Protection Disabled", "severity": "LOW", "line": 34, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.DeletionProtection", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.DeletionProtection should be set to true", + "actualValue": "Resources.MyDBSmall.Properties.DeletionProtection is set to false", + "issueType": "IncorrectValue" }, { "queryName": "RDS DB Instance With Deletion Protection Disabled", "severity": "LOW", "line": 30, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall1", + "searchKey": "Resources.MyDBSmall1.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall1.Properties.DeletionProtection should be defined", + "actualValue": "Resources.MyDBSmall1.Properties.DeletionProtection is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RDS DB Instance With Deletion Protection Disabled", "severity": "LOW", "line": 49, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.DeletionProtection", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.DeletionProtection should be set to true", + "actualValue": "Resources.MyDBSmall.Properties.DeletionProtection is set to false", + "issueType": "IncorrectValue" }, { "queryName": "RDS DB Instance With Deletion Protection Disabled", "severity": "LOW", "line": 45, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall1", + "searchKey": "Resources.MyDBSmall1.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall1.Properties.DeletionProtection should be defined", + "actualValue": "Resources.MyDBSmall1.Properties.DeletionProtection is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RDS DB Instance With Deletion Protection Disabled", "severity": "LOW", "line": 34, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.DeletionProtection", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.DeletionProtection should be set to true", + "actualValue": "Resources.MyDBSmall.Properties.DeletionProtection is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/test/positive_expected_result.json index 4787fe06159..0b282502ccc 100644 --- a/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "RDS Multi-AZ Deployment Disabled", "severity": "MEDIUM", "line": 128, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "", + "searchKey": "Resources.MasterDB.Properties.MultiAZ", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'MasterDB' should have Multi-Availability Zone enabled", + "actualValue": "The RDS DBInstance 'MasterDB' has MultiAZ value set to false", + "issueType": "IncorrectValue" }, { - "line": 148, - "fileName": "positive1.yaml", "queryName": "RDS Multi-AZ Deployment Disabled", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 148, + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "Read Replica Database", + "searchKey": "Resources.ReplicaDB.Properties", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'ReplicaDB' should have Multi-Availability Zone enabled", + "actualValue": "The RDS DBInstance 'ReplicaDB' MultiAZ property is undefined and by default disabled", + "issueType": "MissingAttribute" }, { + "queryName": "RDS Multi-AZ Deployment Disabled", "severity": "MEDIUM", "line": 89, - "fileName": "positive2.json", - "queryName": "RDS Multi-AZ Deployment Disabled" + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "", + "searchKey": "Resources.MasterDB.Properties.MultiAZ", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'MasterDB' should have Multi-Availability Zone enabled", + "actualValue": "The RDS DBInstance 'MasterDB' has MultiAZ value set to false", + "issueType": "IncorrectValue" }, { - "line": 124, - "fileName": "positive2.json", "queryName": "RDS Multi-AZ Deployment Disabled", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 124, + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "Read Replica Database", + "searchKey": "Resources.ReplicaDB.Properties", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'ReplicaDB' should have Multi-Availability Zone enabled", + "actualValue": "The RDS DBInstance 'ReplicaDB' MultiAZ property is undefined and by default disabled", + "issueType": "MissingAttribute" }, { "queryName": "RDS Multi-AZ Deployment Disabled", "severity": "MEDIUM", "line": 128, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "", + "searchKey": "Resources.MasterDB.Properties.MultiAZ", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'MasterDB' should have Multi-Availability Zone enabled", + "actualValue": "The RDS DBInstance 'MasterDB' has MultiAZ value set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/test/positive_expected_result.json index b91a1a46a5a..fb841c44433 100644 --- a/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "RDS Storage Encryption Disabled", "severity": "HIGH", "line": 12, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster", + "searchKey": "Resources.RDSCluster.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.RDSCluster.Properties.StorageEncrypted should be set to true", + "actualValue": "Resources.RDSCluster.Properties.StorageEncrypted is false", + "issueType": "IncorrectValue" }, { "queryName": "RDS Storage Encryption Disabled", "severity": "HIGH", "line": 5, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.RDSCluster1.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Storage Encryption Disabled", "severity": "HIGH", "line": 9, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster", + "searchKey": "Resources.RDSCluster.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.RDSCluster.Properties.StorageEncrypted should be set to true", + "actualValue": "Resources.RDSCluster.Properties.StorageEncrypted is false", + "issueType": "IncorrectValue" }, { "queryName": "RDS Storage Encryption Disabled", "severity": "HIGH", "line": 59, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.RDSCluster1.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Storage Encryption Disabled", "severity": "HIGH", "line": 5, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "NoEncryption", + "searchKey": "Resources.NoEncryption.Properties", + "searchValue": "", + "expectedValue": "Resources.NoEncryption.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.NoEncryption.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Storage Encryption Disabled", "severity": "HIGH", "line": 12, - "fileName": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster", + "searchKey": "Resources.RDSCluster.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.RDSCluster.Properties.StorageEncrypted should be set to true", + "actualValue": "Resources.RDSCluster.Properties.StorageEncrypted is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/test/positive_expected_result.json index 0e49ea3c58c..142620cf402 100644 --- a/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", "line": 35, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.StorageEncrypted should be set to true", + "actualValue": "Resources.MyDBSmall.Properties.StorageEncrypted is set to false", + "issueType": "IncorrectValue" }, { "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", "line": 30, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall2", + "searchKey": "Resources.MyDBSmall2.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall2.Properties.StorageEncrypted should be defined and set to true", + "actualValue": "Resources.MyDBSmall2.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", "line": 50, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.StorageEncrypted should be set to true", + "actualValue": "Resources.MyDBSmall.Properties.StorageEncrypted is set to false", + "issueType": "IncorrectValue" }, { "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", "line": 45, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall2", + "searchKey": "Resources.MyDBSmall2.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall2.Properties.StorageEncrypted should be defined and set to true", + "actualValue": "Resources.MyDBSmall2.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", "line": 35, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.StorageEncrypted should be set to true", + "actualValue": "Resources.MyDBSmall.Properties.StorageEncrypted is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/rds_using_default_port/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_using_default_port/test/positive_expected_result.json index ac7552bddb2..a0edac6c158 100644 --- a/assets/queries/cloudFormation/aws/rds_using_default_port/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_using_default_port/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "RDS Using Default Port", "severity": "LOW", "line": 15, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties.Port", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.Port' should not be set to 1521", + "actualValue": "'Resources.MyDB.Properties.Port' is set to 1521", + "issueType": "IncorrectValue" }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 21, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties.Port", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.Port' should not be set to 1521", + "actualValue": "'Resources.MyDB.Properties.Port' is set to 1521", + "issueType": "IncorrectValue" }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 15, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties.Port", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.Port' should not be set to 3306", + "actualValue": "'Resources.MyDB.Properties.Port' is set to 3306", + "issueType": "IncorrectValue" }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 21, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties.Port", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.Port' should not be set to 3306", + "actualValue": "'Resources.MyDB.Properties.Port' is set to 3306", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/rds_with_backup_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_with_backup_disabled/test/positive_expected_result.json index 18cc5f8c4ec..73dbf73f338 100644 --- a/assets/queries/cloudFormation/aws/rds_with_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_with_backup_disabled/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { - "fileName": "positive1.yaml", "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", - "line": 14 + "line": 14, + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties.BackupRetentionPeriod", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.BackupRetentionPeriod' should not equal to zero", + "actualValue": "'Resources.MyDB.Properties.BackupRetentionPeriod' is equal to zero", + "issueType": "IncorrectValue" }, { "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties.BackupRetentionPeriod", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.BackupRetentionPeriod' should not equal to zero", + "actualValue": "'Resources.MyDB.Properties.BackupRetentionPeriod' is equal to zero", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json index e1389be7964..670e7b1ba3d 100644 --- a/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Redshift Cluster Logging Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster3.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster3.Properties.LoggingProperties should be set", + "actualValue": "Resources.RedshiftCluster3.Properties.LoggingProperties is undefined", + "issueType": "MissingAttribute" }, { - "fileName": "positive2.json", "queryName": "Redshift Cluster Logging Disabled", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive2.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster4.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster4.Properties.LoggingProperties should be set", + "actualValue": "Resources.RedshiftCluster4.Properties.LoggingProperties is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/test/positive_expected_result.json index bcfc24fec54..2b6aa063e2a 100644 --- a/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Redshift Cluster Without KMS CMK", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties.KmsKeyId should be set", + "actualValue": "Resources.RedshiftCluster.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute" }, { - "fileName": "positive2.json", "queryName": "Redshift Cluster Without KMS CMK", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive2.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties.KmsKeyId should be set", + "actualValue": "Resources.RedshiftCluster.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/test/positive_expected_result.json index 9499674a8e3..7b28a659cac 100644 --- a/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/test/positive_expected_result.json @@ -3,72 +3,156 @@ "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 5, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", + "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds or ClusterSubnetGroupName", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 5, - "fileName": "positive2.yaml" + "line": 6, + "filename": "positive10.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", + "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields have invalid references", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 5, - "fileName": "positive3.yaml" + "line": 26, + "filename": "positive11.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties.VpcSecurityGroupIds", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", + "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds field has an invalid reference", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 5, - "fileName": "positive4.yaml" + "line": 24, + "filename": "positive12.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties.ClusterSubnetGroupName", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", + "actualValue": "Resources.RedshiftCluster.Properties ClusterSubnetGroupName field has an invalid reference", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 19, - "fileName": "positive5.yaml" + "line": 5, + "filename": "positive2.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", + "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 18, - "fileName": "positive6.yaml" + "line": 5, + "filename": "positive3.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", + "actualValue": "Resources.RedshiftCluster.Properties does not define ClusterSubnetGroupName", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 6, - "fileName": "positive7.json" + "line": 5, + "filename": "positive4.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", + "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields have invalid references", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 6, - "fileName": "positive8.json" + "line": 19, + "filename": "positive5.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties.VpcSecurityGroupIds", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", + "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds field has an invalid reference", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 6, - "fileName": "positive9.json" + "line": 18, + "filename": "positive6.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties.ClusterSubnetGroupName", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", + "actualValue": "Resources.RedshiftCluster.Properties ClusterSubnetGroupName field has an invalid reference", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 6, - "fileName": "positive10.json" + "filename": "positive7.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", + "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds or ClusterSubnetGroupName", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 26, - "fileName": "positive11.json" + "line": 6, + "filename": "positive8.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", + "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 24, - "fileName": "positive12.json" + "line": 6, + "filename": "positive9.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", + "actualValue": "Resources.RedshiftCluster.Properties does not define ClusterSubnetGroupName", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/redshift_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_not_encrypted/test/positive_expected_result.json index 8c7b0132cf5..963e6b12504 100644 --- a/assets/queries/cloudFormation/aws/redshift_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_not_encrypted/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "Redshift Not Encrypted", "severity": "HIGH", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties.Encrypted should be set", + "actualValue": "Resources.RedshiftCluster.Properties.Encrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Not Encrypted", "severity": "HIGH", "line": 21, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster2.Properties.Encrypted", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster2.Properties.Encrypted should be set to true", + "actualValue": "Resources.RedshiftCluster2.Properties.Encryped is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Not Encrypted", "severity": "HIGH", "line": 7, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties.Encrypted should be set", + "actualValue": "Resources.RedshiftCluster.Properties.Encrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Not Encrypted", "severity": "HIGH", "line": 32, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster2.Properties.Encrypted", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster2.Properties.Encrypted should be set to true", + "actualValue": "Resources.RedshiftCluster2.Properties.Encryped is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Not Encrypted", "severity": "HIGH", "line": 6, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties.Encrypted should be set", + "actualValue": "Resources.RedshiftCluster.Properties.Encrypted is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/redshift_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_publicly_accessible/test/positive_expected_result.json index cb018261b8d..df15e5837de 100644 --- a/assets/queries/cloudFormation/aws/redshift_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_publicly_accessible/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Redshift Publicly Accessible", "severity": "HIGH", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.myCluster.Properties.PubliclyAccessible' should be defined", + "actualValue": "'Resources.myCluster.Properties.PubliclyAccessible' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", "line": 17, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster2.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "'Resources.myCluster2.Properties.PubliclyAccessible' should be set to false", + "actualValue": "'Resources.myCluster2.Properties.PubliclyAccessible' is true", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", "line": 5, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.myCluster.Properties.PubliclyAccessible' should be defined", + "actualValue": "'Resources.myCluster.Properties.PubliclyAccessible' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", "line": 30, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster2.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "'Resources.myCluster2.Properties.PubliclyAccessible' should be set to false", + "actualValue": "'Resources.myCluster2.Properties.PubliclyAccessible' is true", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", "line": 4, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.myCluster.Properties.PubliclyAccessible' should be defined", + "actualValue": "'Resources.myCluster.Properties.PubliclyAccessible' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", "line": 17, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster2.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "'Resources.myCluster2.Properties.PubliclyAccessible' should be set to false", + "actualValue": "'Resources.myCluster2.Properties.PubliclyAccessible' is true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/redshift_using_default_port/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_using_default_port/test/positive_expected_result.json index f79909eda69..1ea39125ebc 100644 --- a/assets/queries/cloudFormation/aws/redshift_using_default_port/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_using_default_port/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Redshift Using Default Port", "severity": "LOW", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.myCluster.Properties.Port' should be defined", + "actualValue": "'Resources.myCluster.Properties.Port' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Using Default Port", "severity": "LOW", "line": 28, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster2.Properties.Port", + "searchValue": "", + "expectedValue": "'Resources.myCluster2.Properties.Port' should not be set to 5439", + "actualValue": "'Resources.myCluster2.Properties.Port' is set to 5439", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Using Default Port", "severity": "LOW", "line": 5, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.myCluster.Properties.Port' should be defined", + "actualValue": "'Resources.myCluster.Properties.Port' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Using Default Port", "severity": "LOW", "line": 39, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster2.Properties.Port", + "searchValue": "", + "expectedValue": "'Resources.myCluster2.Properties.Port' should not be set to 5439", + "actualValue": "'Resources.myCluster2.Properties.Port' is set to 5439", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/refresh_token_is_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/refresh_token_is_exposed/test/positive_expected_result.json index 7bd2a1e12fc..e47cb8aec62 100644 --- a/assets/queries/cloudFormation/aws/refresh_token_is_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/refresh_token_is_exposed/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "RefreshToken Is Exposed", "severity": "HIGH", "line": 18, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Alexa::ASK::Skill", + "resourceName": "MySkill", + "searchKey": "Resources.MySkill.Properties.AuthenticationConfiguration.RefreshToken", + "searchValue": "", + "expectedValue": "'Resources.MySkill.Properties.RefreshToken' starts with '{{resolve:secretsmanager:' or starts with '{{resolve:ssm-secure:'", + "actualValue": "'Resources.MySkill.Properties.RefreshToken' does not start with '{{resolve:secretsmanager:' or with '{{resolve:ssm-secure:'", + "issueType": "IncorrectValue" }, { - "fileName": "positive2.json", "queryName": "RefreshToken Is Exposed", "severity": "HIGH", - "line": 26 + "line": 26, + "filename": "positive2.json", + "resourceType": "Alexa::ASK::Skill", + "resourceName": "MySkill", + "searchKey": "Resources.MySkill.Properties.AuthenticationConfiguration.RefreshToken", + "searchValue": "", + "expectedValue": "'Resources.MySkill.Properties.RefreshToken' starts with '{{resolve:secretsmanager:' or starts with '{{resolve:ssm-secure:'", + "actualValue": "'Resources.MySkill.Properties.RefreshToken' does not start with '{{resolve:secretsmanager:' or with '{{resolve:ssm-secure:'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json index 20adaa883d4..87d277e6840 100644 --- a/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json @@ -3,132 +3,286 @@ "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 10, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 38, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 51, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 63, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 79, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 12, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 21, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 31, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 40, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 49, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 10, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 25, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 46, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 61, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 76, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 97, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 14, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 26, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 38, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 50, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 62, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/test/positive_expected_result.json index 61430847f89..07394bd1da3 100644 --- a/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Root Account Has Active Access Keys", "severity": "HIGH", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::AccessKey", + "resourceName": "CFNKeys", + "searchKey": "Resources.CFNKeys.Properties.UserName", + "searchValue": "", + "expectedValue": "'Resources.CFNKeys.Properties.UserName' should not be asssociated to root account.", + "actualValue": "'Resources.CFNKeys.Properties.UserName' is asssociated to root account.", + "issueType": "IncorrectValue" }, { "queryName": "Root Account Has Active Access Keys", "severity": "HIGH", "line": 7, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::AccessKey", + "resourceName": "CFNKeys", + "searchKey": "Resources.CFNKeys.Properties.UserName", + "searchValue": "", + "expectedValue": "'Resources.CFNKeys.Properties.UserName' should not be asssociated to root account.", + "actualValue": "'Resources.CFNKeys.Properties.UserName' is asssociated to root account.", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/route53_record_undefined/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/route53_record_undefined/test/positive_expected_result.json index 0e67938f892..f6e8b83be60 100644 --- a/assets/queries/cloudFormation/aws/route53_record_undefined/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/route53_record_undefined/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Route53 Record Undefined", "severity": "HIGH", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Route53::HostedZone", + "resourceName": "HostedZone", + "searchKey": "Resources.HostedZone", + "searchValue": "", + "expectedValue": "Resources.HostedZone has RecordSet", + "actualValue": "Resources.HostedZone doesn't have RecordSet", + "issueType": "MissingAttribute" }, { "queryName": "Route53 Record Undefined", "severity": "HIGH", "line": 5, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::Route53::HostedZone", + "resourceName": "HostedZone", + "searchKey": "Resources.HostedZone", + "searchValue": "", + "expectedValue": "Resources.HostedZone has RecordSet", + "actualValue": "Resources.HostedZone doesn't have RecordSet", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/routertable_with_default_routing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/routertable_with_default_routing/test/positive_expected_result.json index 04d3a665aad..9a1f9a509b7 100644 --- a/assets/queries/cloudFormation/aws/routertable_with_default_routing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/routertable_with_default_routing/test/positive_expected_result.json @@ -1,38 +1,80 @@ [ { + "queryName": "RouterTable with Default Routing", "severity": "LOW", "line": 54, - "fileName": "positive1.yaml", - "queryName": "RouterTable with Default Routing" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Route", + "resourceName": "PublicRoute1", + "searchKey": "Resources.PublicRoute1.Properties.DestinationCidrBlock", + "searchValue": "", + "expectedValue": "Resources.PublicRoute1.Properties.DestinationCidrBlock should be different from the default value", + "actualValue": "Resources.PublicRoute1.Properties.DestinationCidrBlock is 0.0.0.0/0", + "issueType": "IncorrectValue" }, { "queryName": "RouterTable with Default Routing", "severity": "LOW", - "line": 66, - "fileName": "positive1.yaml" + "line": 61, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Route", + "resourceName": "PublicRoute2", + "searchKey": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock", + "searchValue": "", + "expectedValue": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock should be different from the default value", + "actualValue": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock is ::/0", + "issueType": "IncorrectValue" }, { "queryName": "RouterTable with Default Routing", "severity": "LOW", - "line": 61, - "fileName": "positive1.yaml" + "line": 66, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::Route", + "resourceName": "PublicRoute3", + "searchKey": "Resources.PublicRoute3.Properties", + "searchValue": "", + "expectedValue": "Resources.PublicRoute3.Properties.NatGatewayId should be defined", + "actualValue": "Resources.PublicRoute3.Properties.NatGatewayId is undefined", + "issueType": "MissingAttribute" }, { + "queryName": "RouterTable with Default Routing", "severity": "LOW", "line": 37, - "fileName": "positive2.json", - "queryName": "RouterTable with Default Routing" + "filename": "positive2.json", + "resourceType": "AWS::EC2::Route", + "resourceName": "PublicRoute1", + "searchKey": "Resources.PublicRoute1.Properties.DestinationCidrBlock", + "searchValue": "", + "expectedValue": "Resources.PublicRoute1.Properties.DestinationCidrBlock should be different from the default value", + "actualValue": "Resources.PublicRoute1.Properties.DestinationCidrBlock is 0.0.0.0/0", + "issueType": "IncorrectValue" }, { - "line": 108, - "fileName": "positive2.json", "queryName": "RouterTable with Default Routing", - "severity": "LOW" + "severity": "LOW", + "line": 43, + "filename": "positive2.json", + "resourceType": "AWS::EC2::Route", + "resourceName": "PublicRoute3", + "searchKey": "Resources.PublicRoute3.Properties", + "searchValue": "", + "expectedValue": "Resources.PublicRoute3.Properties.NatGatewayId should be defined", + "actualValue": "Resources.PublicRoute3.Properties.NatGatewayId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RouterTable with Default Routing", "severity": "LOW", - "line": 43, - "fileName": "positive2.json" + "line": 108, + "filename": "positive2.json", + "resourceType": "AWS::EC2::Route", + "resourceName": "PublicRoute2", + "searchKey": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock", + "searchValue": "", + "expectedValue": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock should be different from the default value", + "actualValue": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock is ::/0", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json index 7a2db579caf..41020a82880 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", "line": 2, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket", + "searchKey": "Resources.Bucket", + "searchValue": "", + "expectedValue": "associated Bucket Policy should not allow access to any principal", + "actualValue": "associated Bucket Policy allows access to any principal", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", "line": 27, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket2", + "searchKey": "Resources.Bucket2", + "searchValue": "", + "expectedValue": "associated Bucket Policy should not allow access to any principal", + "actualValue": "associated Bucket Policy allows access to any principal", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", "line": 3, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket", + "searchKey": "Resources.Bucket", + "searchValue": "", + "expectedValue": "associated Bucket Policy should not allow access to any principal", + "actualValue": "associated Bucket Policy allows access to any principal", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", "line": 42, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket2", + "searchKey": "Resources.Bucket2", + "searchValue": "", + "expectedValue": "associated Bucket Policy should not allow access to any principal", + "actualValue": "associated Bucket Policy allows access to any principal", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", "line": 3, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3BucketName", + "searchKey": "Resources.SWBS3Bucket", + "searchValue": "", + "expectedValue": "associated Bucket Policy should not allow access to any principal", + "actualValue": "associated Bucket Policy allows access to any principal", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json index 8b30d277c16..bedd8de7e56 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts", + "searchKey": "Resources.JenkinsArtifacts01.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 7, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "public-read-static-page01", + "searchKey": "Resources.StaticPage01.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue" }, { - "fileName": "positive3.yaml", "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", - "line": 7 + "line": 7, + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts-block-public", + "searchKey": "Resources.JenkinsArtifacts02.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 7, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3BucketForWebsiteContent", + "searchKey": "Resources.S3BucketForWebsiteContent.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'undefined' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 13, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts", + "searchKey": "Resources.JenkinsArtifacts01.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 8, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "public-read-static-page01", + "searchKey": "Resources.StaticPage01.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 8, - "fileName": "positive7.json" + "filename": "positive7.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts-block-public", + "searchKey": "Resources.JenkinsArtifacts02.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 8, - "fileName": "positive8.json" + "filename": "positive8.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3BucketForWebsiteContent", + "searchKey": "Resources.S3BucketForWebsiteContent.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'undefined' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json index 68cd8230646..3f67b2a7853 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts", + "searchKey": "Resources.JenkinsArtifacts01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'JenkinsArtifacts01' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", "line": 7, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "public-read-static-page01", + "searchKey": "Resources.StaticPage01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'StaticPage01' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", "line": 7, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts-block-public", + "searchKey": "Resources.JenkinsArtifacts02.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'JenkinsArtifacts02' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", "line": 7, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3BucketForWebsiteContent", + "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'S3BucketForWebsiteContent' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", "line": 13, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts", + "searchKey": "Resources.JenkinsArtifacts01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'JenkinsArtifacts01' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", "line": 7, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "public-read-static-page01", + "searchKey": "Resources.StaticPage01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'StaticPage01' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", "line": 8, - "fileName": "positive7.json" + "filename": "positive7.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts-block-public", + "searchKey": "Resources.JenkinsArtifacts02.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'JenkinsArtifacts02' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", "line": 8, - "fileName": "positive8.json" + "filename": "positive8.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3BucketForWebsiteContent", + "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'S3BucketForWebsiteContent' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json index 6aeccfaae0e..365f6730c7a 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts", + "searchKey": "Resources.JenkinsArtifacts01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "public-read-static-page01", + "searchKey": "Resources.StaticPage01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts-block-public", + "searchKey": "Resources.JenkinsArtifacts02.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3BucketForWebsiteContent", + "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'undefined' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts", + "searchKey": "Resources.JenkinsArtifacts01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "public-read-static-page01", + "searchKey": "Resources.StaticPage01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 20, - "fileName": "positive7.json" + "filename": "positive7.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts-block-public", + "searchKey": "Resources.JenkinsArtifacts02.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "fileName": "positive8.json" + "filename": "positive8.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3BucketForWebsiteContent", + "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'undefined' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/test/positive_expected_result.json index e1a3f16266e..b4522c551f1 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy3", + "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow a 'Delete' action from all principals", + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy4", + "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow a 'Delete' action from all principals", + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 9, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy5", + "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'Delete' action from all principals", + "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 35, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy6", + "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'Delete' action from all principals", + "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/test/positive_expected_result.json index caffaf97c5f..4241a040d61 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy3", + "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow a 'Get' action from all principals", + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'Get' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy4", + "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow a 'Get' action from all principals", + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'Get' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", "line": 9, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy5", + "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'Get' action from all principals", + "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Get' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", "line": 35, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy6", + "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'Get' action from all principals", + "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Get' action from all principals", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/test/positive_expected_result.json index 9233283aae5..9706fb4501c 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy3", + "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow a 'List' action from all principals", + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'List' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy4", + "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow a 'List' action from all principals", + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'List' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", "line": 9, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy5", + "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'List' action from all principals", + "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'List' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", "line": 35, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy6", + "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'List' action from all principals", + "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'List' action from all principals", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json index b40c557aff1..e641c4a0958 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", "line": 10, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'BlockPublicAcls' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'BlockPublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", "line": 20, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicAcls", + "searchValue": "", + "expectedValue": "'BlockPublicAcls' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'BlockPublicAcls' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", "line": 7, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket1", + "searchKey": "Resources.Bucket1.Properties.PublicAccessBlockConfiguration.BlockPublicAcls", + "searchValue": "", + "expectedValue": "'BlockPublicAcls' should be set to true%!(EXTRA string=Bucket1)", + "actualValue": "'BlockPublicAcls' is set to false%!(EXTRA string=Bucket1)", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", "line": 4, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'BlockPublicAcls' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'BlockPublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", "line": 20, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicAcls", + "searchValue": "", + "expectedValue": "'BlockPublicAcls' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'BlockPublicAcls' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/test/positive_expected_result.json index f503b3c7a06..f9e0e33f489 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy3", + "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow a 'Put' action from all principals", + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'Put' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy4", + "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow a 'Put' action from all principals", + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'Put' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 9, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy5", + "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'Put' action from all principals", + "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Put' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 35, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy6", + "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'Put' action from all principals", + "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Put' action from all principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/test/positive_expected_result.json index a0cfdc7977d..a09f10289ac 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "S3 Bucket Allows Restore Actions From All Principals", "severity": "HIGH", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy3", + "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow a 'Restore' action from all principals", + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'Restore' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Restore Actions From All Principals", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy4", + "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow a 'Restore' action from all principals", + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'Restore' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Restore Actions From All Principals", "severity": "HIGH", "line": 9, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy5", + "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'Restore' action from all principals", + "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Restore' action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Restore Actions From All Principals", "severity": "HIGH", "line": 35, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy6", + "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'Restore' action from all principals", + "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Restore' action from all principals", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/test/positive_expected_result.json index d1c0f50951b..1bef9dcd9a7 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { + "queryName": "S3 Bucket CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml", - "queryName": "S3 Bucket CloudTrail Logging Disabled" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "mybucketVulnerable", + "searchKey": "Resources.mybucketVulnerable.Properties", + "searchValue": "", + "expectedValue": "S3 bucket 'mybucketVulnerable' should have logging enabled", + "actualValue": "S3 bucket 'mybucketVulnerable' doesn't have logging enabled", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 67, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "mybucketVulnerable", + "searchKey": "Resources.mybucketVulnerable.Properties", + "searchValue": "", + "expectedValue": "S3 bucket 'mybucketVulnerable' should have logging enabled", + "actualValue": "S3 bucket 'mybucketVulnerable' doesn't have logging enabled", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/test/positive_expected_result.json index eeab2cbf1b4..44be099b596 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "S3 Bucket Logging Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "mybucket", + "searchKey": "Resources.mybucket.Properties", + "searchValue": "", + "expectedValue": "'Resources.mybucket.Properties' should have property 'LoggingConfiguration'", + "actualValue": "'Resources.mybucket.Properties' doesn't have property 'LoggingConfiguration'", + "issueType": "MissingAttribute" }, { - "line": 113, - "fileName": "positive2.json", "queryName": "S3 Bucket Logging Disabled", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 113, + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "mybucket", + "searchKey": "Resources.mybucket.Properties", + "searchValue": "", + "expectedValue": "'Resources.mybucket.Properties' should have property 'LoggingConfiguration'", + "actualValue": "'Resources.mybucket.Properties' doesn't have property 'LoggingConfiguration'", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/test/positive_expected_result.json index 66e29ec3c19..ebccedf00cf 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "docexamplebucket1", + "searchKey": "Resources.S3Bucket3", + "searchValue": "", + "expectedValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", "line": 31, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket", + "searchKey": "Resources.S3Bucket", + "searchValue": "", + "expectedValue": "'Resources.S3Bucket.Properties.BucketName' or 'Resources.[S3Bucket]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.S3Bucket.Properties.BucketName' or 'Resources.[S3Bucket]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", "line": 56, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "docexamplebucket5", + "searchKey": "Resources.S3Bucket7", + "searchValue": "", + "expectedValue": "'Resources.S3Bucket7.Properties.BucketName' or 'Resources.[S3Bucket7]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.S3Bucket7.Properties.BucketName' or 'Resources.[S3Bucket7]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", "line": 42, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "docexamplebucket1", + "searchKey": "Resources.S3Bucket3", + "searchValue": "", + "expectedValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", "line": 88, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket", + "searchKey": "Resources.S3Bucket", + "searchValue": "", + "expectedValue": "'Resources.S3Bucket.Properties.BucketName' or 'Resources.[S3Bucket]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.S3Bucket.Properties.BucketName' or 'Resources.[S3Bucket]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", "line": 130, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "docexamplebucket5", + "searchKey": "Resources.S3Bucket7", + "searchValue": "", + "expectedValue": "'Resources.S3Bucket7.Properties.BucketName' or 'Resources.[S3Bucket7]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.S3Bucket7.Properties.BucketName' or 'Resources.[S3Bucket7]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", "line": 4, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "MyS3Bucket2", + "searchKey": "Resources.MyS3Bucket2", + "searchValue": "", + "expectedValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", "line": 5, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "MyS3Bucket2", + "searchKey": "Resources.MyS3Bucket2", + "searchValue": "", + "expectedValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json index 932ba9931df..d910ec5e6a8 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "S3 Bucket With All Permissions", "severity": "CRITICAL", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy3", + "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow all actions from all principals", + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows all actions from all principals", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket With All Permissions", "severity": "CRITICAL", "line": 9, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy4", + "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow all actions from all principals", + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows all actions from all principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/test/positive_expected_result.json index c72d95ef9a2..ad6c7428a71 100755 --- a/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/test/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", "line": 10, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'BlockPublicPolicy' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'BlockPublicPolicy' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", "line": 19, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy", + "searchValue": "", + "expectedValue": "'BlockPublicPolicy' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'BlockPublicPolicy' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", "line": 8, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket1", + "searchKey": "Resources.Bucket1.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy", + "searchValue": "", + "expectedValue": "'BlockPublicPolicy' should be set to true%!(EXTRA string=Bucket1)", + "actualValue": "'BlockPublicPolicy' is set to false%!(EXTRA string=Bucket1)", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", "line": 4, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'BlockPublicPolicy' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'BlockPublicPolicy' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", "line": 19, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy", + "searchValue": "", + "expectedValue": "'BlockPublicPolicy' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'BlockPublicPolicy' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json index 11bf64846bd..0c9bbea09ef 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "S3 Bucket With Unsecured CORS Rule", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket", + "searchKey": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules", + "searchValue": "", + "expectedValue": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules[0] should not allow all methods, all headers or several origins", + "actualValue": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules[0] allows all methods, all headers or several origins", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket With Unsecured CORS Rule", "severity": "MEDIUM", "line": 14, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket", + "searchKey": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules", + "searchValue": "", + "expectedValue": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules[0] should not allow all methods, all headers or several origins", + "actualValue": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules[0] allows all methods, all headers or several origins", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json index aac17c770d3..1442ff80e22 100755 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 10, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'IgnorePublicAcls' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'IgnorePublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 21, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.IgnorePublicAcls", + "searchValue": "", + "expectedValue": "'IgnorePublicAcls' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'IgnorePublicAcls' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 9, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket1", + "searchKey": "Resources.Bucket1.Properties.PublicAccessBlockConfiguration.IgnorePublicAcls", + "searchValue": "", + "expectedValue": "'IgnorePublicAcls' should be set to true%!(EXTRA string=Bucket1)", + "actualValue": "'IgnorePublicAcls' is set to false%!(EXTRA string=Bucket1)", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 4, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'IgnorePublicAcls' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'IgnorePublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 21, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.IgnorePublicAcls", + "searchValue": "", + "expectedValue": "'IgnorePublicAcls' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'IgnorePublicAcls' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json index 5f10f50b495..3c981ce7ece 100755 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 10, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'RestrictPublicBuckets' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'RestrictPublicBuckets' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 21, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets", + "searchValue": "", + "expectedValue": "'RestrictPublicBuckets' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'RestrictPublicBuckets' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 10, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket1", + "searchKey": "Resources.Bucket1.Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets", + "searchValue": "", + "expectedValue": "'RestrictPublicBuckets' should be set to true%!(EXTRA string=Bucket1)", + "actualValue": "'RestrictPublicBuckets' is set to false%!(EXTRA string=Bucket1)", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 4, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'RestrictPublicBuckets' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'RestrictPublicBuckets' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 21, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets", + "searchValue": "", + "expectedValue": "'RestrictPublicBuckets' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'RestrictPublicBuckets' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/test/positive_expected_result.json index 7ff543522df..44adcf20eea 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "S3 Bucket Without Server-side-encryption", "severity": "HIGH", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "", + "searchKey": "Resources.S3Bucket.Properties", + "searchValue": "", + "expectedValue": "Resources.S3Bucket.Properties.BucketEncryption.ServerSideEncryptionConfiguration should be defined and not empty", + "actualValue": "Resources.S3Bucket.Properties.BucketEncryption.ServerSideEncryptionConfiguration is undefined or empty", + "issueType": "MissingAttribute" }, { + "queryName": "S3 Bucket Without Server-side-encryption", "severity": "HIGH", "line": 5, - "fileName": "positive2.json", - "queryName": "S3 Bucket Without Server-side-encryption" + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "", + "searchKey": "Resources.S3Bucket.Properties", + "searchValue": "", + "expectedValue": "Resources.S3Bucket.Properties.BucketEncryption.ServerSideEncryptionConfiguration should be defined and not empty", + "actualValue": "Resources.S3Bucket.Properties.BucketEncryption.ServerSideEncryptionConfiguration is undefined or empty", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/test/positive_expected_result.json index e068512fc2a..19c99d1d6f1 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/test/positive_expected_result.json @@ -3,78 +3,169 @@ "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket", + "searchKey": "Resources.S3Bucket", + "searchValue": "", + "expectedValue": "Resources.S3Bucket bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket bucket doesn't have a policy or has a policy that doesn't enforce SSL", + "issueType": "IncorrectValue" + }, + { + "queryName": "S3 Bucket Without SSL In Write Actions", + "severity": "MEDIUM", + "line": 34, + "filename": "positive10.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket33", + "searchKey": "Resources.S3Bucket33", + "searchValue": "", + "expectedValue": "Resources.S3Bucket33 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket33 bucket doesn't have a policy or has a policy that doesn't enforce SSL", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket2", + "searchKey": "Resources.S3Bucket2", + "searchValue": "", + "expectedValue": "Resources.S3Bucket2 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket2 bucket doesn't have a policy or has a policy that doesn't enforce SSL", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 3, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket3", + "searchKey": "Resources.S3Bucket3", + "searchValue": "", + "expectedValue": "Resources.S3Bucket3 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket3 bucket doesn't have a policy or has a policy that doesn't enforce SSL", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 12, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket4", + "searchKey": "Resources.S3Bucket4", + "searchValue": "", + "expectedValue": "Resources.S3Bucket4 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket4 bucket doesn't have a policy", + "issueType": "MissingAttribute" }, { - "fileName": "positive4.yaml", "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive4.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket5", + "searchKey": "Resources.S3Bucket5", + "searchValue": "", + "expectedValue": "Resources.S3Bucket5 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket5 bucket doesn't have a policy", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 12, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket6", + "searchKey": "Resources.S3Bucket6", + "searchValue": "", + "expectedValue": "Resources.S3Bucket6 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket6 bucket doesn't have a policy", + "issueType": "MissingAttribute" }, { - "fileName": "positive5.json", "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", - "line": 30 + "line": 30, + "filename": "positive5.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket", + "searchKey": "Resources.S3Bucket", + "searchValue": "", + "expectedValue": "Resources.S3Bucket bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket bucket doesn't have a policy or has a policy that doesn't enforce SSL", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 4, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket2", + "searchKey": "Resources.S3Bucket2", + "searchValue": "", + "expectedValue": "Resources.S3Bucket2 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket2 bucket doesn't have a policy or has a policy that doesn't enforce SSL", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 47, - "fileName": "positive7.json" + "filename": "positive7.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket4", + "searchKey": "Resources.S3Bucket4", + "searchValue": "", + "expectedValue": "Resources.S3Bucket4 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket4 bucket doesn't have a policy", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 4, - "fileName": "positive8.json" + "filename": "positive8.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket5", + "searchKey": "Resources.S3Bucket5", + "searchValue": "", + "expectedValue": "Resources.S3Bucket5 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket5 bucket doesn't have a policy", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 15, - "fileName": "positive8.json" + "filename": "positive8.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket6", + "searchKey": "Resources.S3Bucket6", + "searchValue": "", + "expectedValue": "Resources.S3Bucket6 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket6 bucket doesn't have a policy", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 3, - "fileName": "positive9.yaml" - }, - { - "queryName": "S3 Bucket Without SSL In Write Actions", - "severity": "MEDIUM", - "line": 34, - "fileName": "positive10.json" + "filename": "positive9.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket33,", + "searchKey": "Resources.S3Bucket33", + "searchValue": "", + "expectedValue": "Resources.S3Bucket33 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket33 bucket doesn't have a policy or has a policy that doesn't enforce SSL", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/test/positive_expected_result.json index a47eadc1a3a..638e1ffd783 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "RecordServiceS3Bucket", + "searchKey": "Resources.RecordServiceS3Bucket.Properties", + "searchValue": "", + "expectedValue": "Resources.RecordServiceS3Bucket.Properties.VersioningConfiguration should be defined", + "actualValue": "Resources.RecordServiceS3Bucket.Properties.VersioningConfiguration is undefined", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 27, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "RecordServiceS3Bucket2", + "searchKey": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status", + "searchValue": "", + "expectedValue": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status should be set to Enabled", + "actualValue": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status is set to Suspended", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 4, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "RecordServiceS3Bucket", + "searchKey": "Resources.RecordServiceS3Bucket.Properties", + "searchValue": "", + "expectedValue": "Resources.RecordServiceS3Bucket.Properties.VersioningConfiguration should be defined", + "actualValue": "Resources.RecordServiceS3Bucket.Properties.VersioningConfiguration is undefined", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 48, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "RecordServiceS3Bucket2", + "searchKey": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status", + "searchValue": "", + "expectedValue": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status should be set to Enabled", + "actualValue": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status is set to Suspended", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/test/positive_expected_result.json index 01c68fb878f..20bb9a02468 100644 --- a/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "S3 Static Website Host Enabled", "severity": "HIGH", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket2", + "searchKey": "Resources.Bucket2.Properties", + "searchValue": "", + "expectedValue": "'Resources.Bucket2.Properties.WebsiteConfiguration' should not be defined", + "actualValue": "'Resources.Bucket2.Properties.WebsiteConfiguration' is defined", + "issueType": "IncorrectValue" }, { "queryName": "S3 Static Website Host Enabled", "severity": "HIGH", "line": 7, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket2", + "searchKey": "Resources.Bucket2.Properties", + "searchValue": "", + "expectedValue": "'Resources.Bucket2.Properties.WebsiteConfiguration' should not be defined", + "actualValue": "'Resources.Bucket2.Properties.WebsiteConfiguration' is defined", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/test/positive_expected_result.json index b23d6d572be..c6094da99fb 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "SageMaker Data Encryption Disabled", "severity": "HIGH", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "BasicNotebookInstance", + "searchKey": "Resources.BasicNotebookInstance.Properties", + "searchValue": "", + "expectedValue": "'Resources.BasicNotebookInstance.Properties.KmsKeyId' should be defined", + "actualValue": "'Resources.BasicNotebookInstance.Properties.KmsKeyId' is not defined", + "issueType": "MissingAttribute" }, { - "line": 20, - "fileName": "positive1.yaml", "queryName": "SageMaker Data Encryption Disabled", - "severity": "HIGH" + "severity": "HIGH", + "line": 20, + "filename": "positive1.yaml", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "BasicNotebookInstance3", + "searchKey": "Resources.BasicNotebookInstance3.Properties.KmsKeyId", + "searchValue": "", + "expectedValue": "'Resources.BasicNotebookInstance3.Properties.KmsKeyId' should not be empty", + "actualValue": "'Resources.BasicNotebookInstance3.Properties.KmsKeyId' is empty", + "issueType": "IncorrectValue" }, { "queryName": "SageMaker Data Encryption Disabled", "severity": "HIGH", - "line": 59, - "fileName": "positive2.json" + "line": 16, + "filename": "positive2.json", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "BasicNotebookInstance3", + "searchKey": "Resources.BasicNotebookInstance3.Properties.KmsKeyId", + "searchValue": "", + "expectedValue": "'Resources.BasicNotebookInstance3.Properties.KmsKeyId' should not be empty", + "actualValue": "'Resources.BasicNotebookInstance3.Properties.KmsKeyId' is empty", + "issueType": "IncorrectValue" }, { - "line": 16, - "fileName": "positive2.json", "queryName": "SageMaker Data Encryption Disabled", - "severity": "HIGH" + "severity": "HIGH", + "line": 59, + "filename": "positive2.json", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "BasicNotebookInstance", + "searchKey": "Resources.BasicNotebookInstance.Properties", + "searchValue": "", + "expectedValue": "'Resources.BasicNotebookInstance.Properties.KmsKeyId' should be defined", + "actualValue": "'Resources.BasicNotebookInstance.Properties.KmsKeyId' is not defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/test/positive_expected_result.json index 414d8795ebf..4e6e66bb4e8 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "SageMaker Enabling Internet Access", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "Notebook", + "searchKey": "Resources.Notebook.Properties.DirectInternetAccess", + "searchValue": "", + "expectedValue": "Resources.Notebook.Properties.DirectInternetAccess is enabled", + "actualValue": "Resources.Notebook.Properties.DirectInternetAccess is disabled", + "issueType": "IncorrectValue" }, { "queryName": "SageMaker Enabling Internet Access", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "Notebook", + "searchKey": "Resources.Notebook.Properties.DirectInternetAccess", + "searchValue": "", + "expectedValue": "Resources.Notebook.Properties.DirectInternetAccess is enabled", + "actualValue": "Resources.Notebook.Properties.DirectInternetAccess is disabled", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/test/positive_expected_result.json index e7602850e63..cf98d49e0bd 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "SageMaker EndPoint Config Should Specify KmsKeyId Attribute", "severity": "MEDIUM", "line": 28, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::SageMaker::EndpointConfig", + "resourceName": "EndpointConfig", + "searchKey": "Resources.EndpointConfig.Properties", + "searchValue": "", + "expectedValue": "Resources.EndpointConfig.Properties.KmsKeyId should be defined", + "actualValue": "Resources.EndpointConfig.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SageMaker EndPoint Config Should Specify KmsKeyId Attribute", "severity": "MEDIUM", "line": 40, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::SageMaker::EndpointConfig", + "resourceName": "EndpointConfig", + "searchKey": "Resources.EndpointConfig.Properties", + "searchValue": "", + "expectedValue": "Resources.EndpointConfig.Properties.KmsKeyId should be defined", + "actualValue": "Resources.EndpointConfig.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/test/positive_expected_result.json index 30ff20916eb..241eda5e1d6 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "SageMaker Notebook Not Placed In VPC", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "NotebookInstanceName", + "searchKey": "Resources.NotebookInstance.Properties.SubnetId", + "searchValue": "", + "expectedValue": "Resources.NotebookInstance.Properties.SubnetId should be defined", + "actualValue": "Resources.NotebookInstance.Properties.SubnetId is not defined", + "issueType": "MissingAttribute" }, { "queryName": "SageMaker Notebook Not Placed In VPC", "severity": "MEDIUM", "line": 27, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "NotebookInstanceName", + "searchKey": "Resources.NotebookInstance.Properties.SubnetId", + "searchValue": "", + "expectedValue": "Resources.NotebookInstance.Properties.SubnetId should be defined", + "actualValue": "Resources.NotebookInstance.Properties.SubnetId is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/test/positive_expected_result.json index 9e98e5e61e7..3fa8c5f6c91 100644 --- a/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { - "line": 8, - "fileName": "positive1.yaml", "queryName": "SDB Domain Declared As A Resource", - "severity": "LOW" + "severity": "LOW", + "line": 8, + "filename": "positive1.yaml", + "resourceType": "AWS::SDB::Domain", + "resourceName": "SBDDomain", + "searchKey": "Resources.SBDDomain", + "searchValue": "", + "expectedValue": "Resources.SBDDomain should not be defined", + "actualValue": "Resources.SBDDomain is defined", + "issueType": "MissingAttribute" }, { "queryName": "SDB Domain Declared As A Resource", "severity": "LOW", "line": 11, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::SDB::Domain", + "resourceName": "SBDDomain", + "searchKey": "Resources.SBDDomain", + "searchValue": "", + "expectedValue": "Resources.SBDDomain should not be defined", + "actualValue": "Resources.SBDDomain is defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/test/positive_expected_result.json index d5e3ef62efc..1aa1dd6ad65 100644 --- a/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { + "queryName": "Secrets Manager Should Specify KmsKeyId", "severity": "LOW", "line": 6, - "fileName": "positive1.yaml", - "queryName": "Secrets Manager Should Specify KmsKeyId" + "filename": "positive1.yaml", + "resourceType": "AWS::SecretsManager::Secret", + "resourceName": "String", + "searchKey": "Resources.SecretsManagerSecret.Properties", + "searchValue": "", + "expectedValue": "Resources.SecretsManagerSecret.Properties.KmsKeyId should be defined", + "actualValue": "Resources.SecretsManagerSecret.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute" }, { - "line": 7, - "fileName": "positive2.json", "queryName": "Secrets Manager Should Specify KmsKeyId", - "severity": "LOW" + "severity": "LOW", + "line": 7, + "filename": "positive2.json", + "resourceType": "AWS::SecretsManager::Secret", + "resourceName": "String", + "searchKey": "Resources.SecretsManagerSecret.Properties", + "searchValue": "", + "expectedValue": "Resources.SecretsManagerSecret.Properties.KmsKeyId should be defined", + "actualValue": "Resources.SecretsManagerSecret.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json index 4bc0a101074..20760e80ab1 100644 --- a/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ { + "queryName": "Secretsmanager Secret Without KMS", "severity": "MEDIUM", "line": 5, - "queryName": "Secretsmanager Secret Without KMS", - "fileName": "positive1.json" + "filename": "positive1.json", + "resourceType": "AWS::SecretsManager::Secret", + "resourceName": "MySecret", + "searchKey": "Resources.MySecret.Properties", + "searchValue": "", + "expectedValue": "'Resources.MySecret.Properties.KmsKeyId' should be defined and not null", + "actualValue": "'Resources.MySecret.Properties.KmsKeyId' is undefined or null", + "issueType": "MissingAttribute" }, { + "queryName": "Secretsmanager Secret Without KMS", "severity": "MEDIUM", "line": 4, - "queryName": "Secretsmanager Secret Without KMS", - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::SecretsManager::Secret", + "resourceName": "MySecret", + "searchKey": "Resources.MySecret.Properties", + "searchValue": "", + "expectedValue": "'Resources.MySecret.Properties.KmsKeyId' should be defined and not null", + "actualValue": "'Resources.MySecret.Properties.KmsKeyId' is undefined or null", + "issueType": "MissingAttribute" }, { + "queryName": "Secretsmanager Secret Without KMS", "severity": "MEDIUM", "line": 8, - "queryName": "Secretsmanager Secret Without KMS", - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::SecretsManager::Secret", + "resourceName": "MySecretForAppB", + "searchKey": "Resources.MySecretB.Properties.KmsKeyId", + "searchValue": "", + "expectedValue": "'Resources.MySecretB.Properties.KmsKeyId' should be defined and not null", + "actualValue": "'Resources.MySecretB.Properties.KmsKeyId' is undefined or null", + "issueType": "IncorrectValue" }, { + "queryName": "Secretsmanager Secret Without KMS", "severity": "MEDIUM", "line": 7, - "queryName": "Secretsmanager Secret Without KMS", - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "AWS::SecretsManager::Secret", + "resourceName": "MySecretForAppB", + "searchKey": "Resources.MySecretB.Properties.KmsKeyId", + "searchValue": "", + "expectedValue": "'Resources.MySecretB.Properties.KmsKeyId' should be defined and not null", + "actualValue": "'Resources.MySecretB.Properties.KmsKeyId' is undefined or null", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/secure_ciphers_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/secure_ciphers_disabled/test/positive_expected_result.json index 818af741276..4361a6e0e07 100644 --- a/assets/queries/cloudFormation/aws/secure_ciphers_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/secure_ciphers_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Secure Ciphers Disabled", "severity": "MEDIUM", "line": 26, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion is TLSv1.1 or TLSv1.2", + "actualValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion isn't TLSv1.1 or TLSv1.2", + "issueType": "IncorrectValue" }, { "queryName": "Secure Ciphers Disabled", "severity": "MEDIUM", "line": 44, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion is TLSv1.1 or TLSv1.2", + "actualValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion isn't TLSv1.1 or TLSv1.2", + "issueType": "IncorrectValue" }, { "queryName": "Secure Ciphers Disabled", "severity": "MEDIUM", "line": 26, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion is TLSv1.1 or TLSv1.2", + "actualValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion isn't TLSv1.1 or TLSv1.2", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/test/positive_expected_result.json index 74022745366..4dcc1e6651b 100644 --- a/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Security Group Egress CIDR Open To World", "severity": "MEDIUM", "line": 19, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp should not be open to the world", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp is open to the world", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Egress CIDR Open To World", "severity": "MEDIUM", "line": 27, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.CidrIpv6 should not be open to the world", + "actualValue": "Resources.OutboundRule.Properties.CidrIpv6 is open to the world", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Egress CIDR Open To World", "severity": "MEDIUM", "line": 17, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp should not be open to the world", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp is open to the world", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Egress CIDR Open To World", "severity": "MEDIUM", "line": 34, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.CidrIpv6 should not be open to the world", + "actualValue": "Resources.OutboundRule.Properties.CidrIpv6 is open to the world", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/test/positive_expected_result.json index 7a4d708f261..8dc012c9c23 100644 --- a/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Security Group Egress With All Protocols", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].IpProtocol should not be set to '-1'", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].IpProtocol is set to '-1'", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Egress With All Protocols", "severity": "MEDIUM", "line": 21, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.IpProtocol should not be set to '-1'", + "actualValue": "Resources.OutboundRule.Properties.IpProtocol is set to '-1'", + "issueType": "IncorrectValue" }, { - "fileName": "positive2.json", "queryName": "Security Group Egress With All Protocols", "severity": "MEDIUM", - "line": 43 + "line": 21, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].IpProtocol should not be set to '-1'", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].IpProtocol is set to '-1'", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Egress With All Protocols", "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.json" + "line": 43, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.IpProtocol should not be set to '-1'", + "actualValue": "Resources.OutboundRule.Properties.IpProtocol is set to '-1'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/test/positive_expected_result.json index 07c66a046af..d85b2bd21c9 100644 --- a/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Security Group Egress With Port Range", "severity": "MEDIUM", "line": 15, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0]", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].FromPort should equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].ToPort", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].FromPort is not equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].ToPort", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Egress With Port Range", "severity": "MEDIUM", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.FromPort should equal to Resources.OutboundRule.Properties.ToPort", + "actualValue": "Resources.OutboundRule.Properties.FromPort is not equal to Resources.OutboundRule.Properties.ToPort", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Egress With Port Range", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0]", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].FromPort should equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].ToPort", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].FromPort is not equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].ToPort", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Egress With Port Range", "severity": "MEDIUM", "line": 32, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.FromPort should equal to Resources.OutboundRule.Properties.ToPort", + "actualValue": "Resources.OutboundRule.Properties.FromPort is not equal to Resources.OutboundRule.Properties.ToPort", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/test/positive_expected_result.json index e41f59b8056..82872b5effd 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ { + "queryName": "Security Group Ingress Has CIDR Not Recommended", "severity": "LOW", "line": 13, - "fileName": "positive1.yaml", - "queryName": "Security Group Ingress Has CIDR Not Recommended" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress.CidrIp", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp should not be /32", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp is /32", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress Has CIDR Not Recommended", "severity": "LOW", "line": 43, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.CidrIpv6 should not be /128", + "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is /128", + "issueType": "IncorrectValue" }, { + "queryName": "Security Group Ingress Has CIDR Not Recommended", "severity": "LOW", "line": 44, - "fileName": "positive2.json", - "queryName": "Security Group Ingress Has CIDR Not Recommended" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.CidrIpv6 should not be /128", + "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is /128", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress Has CIDR Not Recommended", "severity": "LOW", "line": 69, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress.CidrIp", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp should not be /32", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp is /32", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/test/positive_expected_result.json index 038c167f50c..1554e2db865 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Security Group Ingress With All Protocols", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].IpProtocol should not be set to '-1'", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].IpProtocol is set to '-1'", + "issueType": "IncorrectValue" }, { - "fileName": "positive1.yaml", "queryName": "Security Group Ingress With All Protocols", "severity": "MEDIUM", - "line": 35 + "line": 35, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.IpProtocol should not be set to '-1'", + "actualValue": "Resources.InboundRule.Properties.IpProtocol is set to '-1'", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress With All Protocols", "severity": "MEDIUM", - "line": 51, - "fileName": "positive2.json" + "line": 11, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].IpProtocol should not be set to '-1'", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].IpProtocol is set to '-1'", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress With All Protocols", "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.json" + "line": 51, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.IpProtocol should not be set to '-1'", + "actualValue": "Resources.InboundRule.Properties.IpProtocol is set to '-1'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/test/positive_expected_result.json index 70c0666415a..5ee98d71926 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ { + "queryName": "Security Group Ingress With Port Range", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.yaml", - "queryName": "Security Group Ingress With Port Range" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].FromPort should equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].ToPort", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].FromPort is not equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].ToPort", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Ingress With Port Range", "severity": "MEDIUM", "line": 37, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.FromPort should equal to Resources.InboundRule.Properties.ToPort", + "actualValue": "Resources.InboundRule.Properties.FromPort is not equal to Resources.InboundRule.Properties.ToPort", + "issueType": "IncorrectValue" }, { + "queryName": "Security Group Ingress With Port Range", "severity": "MEDIUM", - "line": 53, - "fileName": "positive2.json", - "queryName": "Security Group Ingress With Port Range" + "line": 11, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].FromPort should equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].ToPort", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].FromPort is not equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].ToPort", + "issueType": "IncorrectValue" }, { - "fileName": "positive2.json", "queryName": "Security Group Ingress With Port Range", "severity": "MEDIUM", - "line": 11 + "line": 53, + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.FromPort should equal to Resources.InboundRule.Properties.ToPort", + "actualValue": "Resources.InboundRule.Properties.FromPort is not equal to Resources.InboundRule.Properties.ToPort", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/security_group_rule_without_description/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_rule_without_description/test/positive_expected_result.json index 640f5f33e9e..9a6d5b35dfa 100644 --- a/assets/queries/cloudFormation/aws/security_group_rule_without_description/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_rule_without_description/test/positive_expected_result.json @@ -3,72 +3,156 @@ "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription should be set", + "actualValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].Description should be set", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].Description is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 13, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description should be set", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 19, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.Description should be set", + "actualValue": "Resources.OutboundRule.Properties.Description is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 33, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.Description should be set", + "actualValue": "Resources.InboundRule.Properties.Description is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 47, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "LegacySecurityGroup", + "searchKey": "Resources.LegacySecurityGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.LegacySecurityGroup.Properties.GroupDescription should be set", + "actualValue": "Resources.LegacySecurityGroup.Properties.GroupDescription is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 5, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription should be set", + "actualValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 11, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].Description should be set", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].Description is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 19, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description should be set", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 29, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.Description should be set", + "actualValue": "Resources.OutboundRule.Properties.Description is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 49, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.Description should be set", + "actualValue": "Resources.InboundRule.Properties.Description is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 69, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "LegacySecurityGroup", + "searchKey": "Resources.LegacySecurityGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.LegacySecurityGroup.Properties.GroupDescription should be set", + "actualValue": "Resources.LegacySecurityGroup.Properties.GroupDescription is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/test/positive_expected_result.json index 443ab39a1fd..75c508498e8 100644 --- a/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/test/positive_expected_result.json @@ -3,60 +3,130 @@ "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_security_group.Properties.SecurityGroupEgress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0' simultaneously", + "actualValue": "'Resources.Positive1_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", "line": 16, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_egress_ipv4.Properties", + "searchValue": "", + "expectedValue": "'Resources.Positive1_egress_ipv4.Properties' should not have IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0' simultaneously", + "actualValue": "'Resources.Positive1_egress_ipv4.Properties' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", "line": 26, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_egress_ipv6.Properties", + "searchValue": "", + "expectedValue": "'Resources.Positive1_egress_ipv6.Properties' should not have IpProtocol set to '-1' and CidrIpv6 set to '::/0' simultaneously", + "actualValue": "'Resources.Positive1_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupEgress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive2_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIpv6 set to '::/0' simultaneously", + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", "line": 16, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_egress_ipv6.Properties", + "searchValue": "", + "expectedValue": "'Resources.Positive2_egress_ipv6.Properties' should not have IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0' simultaneously", + "actualValue": "'Resources.Positive2_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", "line": 12, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive3_security_group", + "searchKey": "Resources.Positive3_security_group.Properties.SecurityGroupEgress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive3_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0' simultaneously", + "actualValue": "'Resources.Positive3_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", "line": 22, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "Positive3_security_group", + "searchKey": "Resources.Positive3_egress_ipv4.Properties", + "searchValue": "", + "expectedValue": "'Resources.Positive3_egress_ipv4.Properties' should not have IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0' simultaneously", + "actualValue": "'Resources.Positive3_egress_ipv4.Properties' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", "line": 34, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "Positive3_security_group", + "searchKey": "Resources.Positive3_egress_ipv6.Properties", + "searchValue": "", + "expectedValue": "'Resources.Positive3_egress_ipv6.Properties' should not have IpProtocol set to '-1' and CidrIpv6 set to '::/0' simultaneously", + "actualValue": "'Resources.Positive3_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", "line": 12, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive4_security_group", + "searchKey": "Resources.Positive4_security_group.Properties.SecurityGroupEgress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive4_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIpv6 set to '::/0' simultaneously", + "actualValue": "'Resources.Positive4_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", "line": 22, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "Positive4_security_group", + "searchKey": "Resources.Positive4_egress_ipv6.Properties", + "searchValue": "", + "expectedValue": "'Resources.Positive4_egress_ipv6.Properties' should not have IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0' simultaneously", + "actualValue": "'Resources.Positive4_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0'.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/test/positive_expected_result.json index 1e1b42c1df2..60cf121d82b 100644 --- a/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Security Group Unrestricted Access To RDP", "severity": "HIGH", "line": 15, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "None of the Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress should have port 3389", + "actualValue": "One of the Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress has port 3389", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Unrestricted Access To RDP", "severity": "HIGH", "line": 10, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "None of the Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress should have port 3389", + "actualValue": "One of the Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress has port 3389", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/test/positive_expected_result.json index 3369c2f16fa..debaf896792 100644 --- a/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/test/positive_expected_result.json @@ -3,96 +3,208 @@ "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 16, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_ingress_ipv4.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 26, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_ingress_ipv6.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 2049", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 8, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 12, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[1]' is exposed and contains port(s): 20, 21, 22, 23", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 16, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 24, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_ingress_ipv4.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 34, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive1_ingress_ipv6.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 12, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 22, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_ingress_ipv4.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 34, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_ingress_ipv6.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 2049", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 12, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 18, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[1]' is exposed and contains port(s): 20, 21, 22, 23", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 24, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 34, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_ingress_ipv4.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 46, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive1_ingress_ipv6.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/test/positive_expected_result.json index 33ac5943cde..829f04cc12b 100644 --- a/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/test/positive_expected_result.json @@ -3,96 +3,208 @@ "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 12, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 16, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 26, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_ingress_ipv4_1.Properties.CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_ingress_ipv4_1.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 36, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_ingress_ipv6_1.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_ingress_ipv6_1.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 48, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 52, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 62, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_ingress_ipv4_2.Properties.CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_ingress_ipv4_2.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 72, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 13, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 19, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 31, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_ingress_ipv4_1.Properties.CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_ingress_ipv4_1.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 41, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_ingress_ipv6_1.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_ingress_ipv6_1.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 54, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 60, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 72, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_ingress_ipv4_2.Properties.CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_ingress_ipv4_2.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open.", + "issueType": "IncorrectValue" }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 82, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open.", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive_expected_result.json index 31a2b146d4f..e3dcd832068 100644 --- a/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -3,132 +3,286 @@ "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 22, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 38, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 51, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 63, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 79, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 31, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 40, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 49, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 10, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 25, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 46, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 61, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 76, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 97, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 14, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 26, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 38, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 50, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 62, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/test/positive_expected_result.json index ef3f5cfa119..f34bd23c196 100644 --- a/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Security Groups Without VPC Attached", "severity": "LOW", "line": 16, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "My Group Name", + "searchKey": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref should be defined", + "actualValue": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Security Groups Without VPC Attached", "severity": "LOW", "line": 22, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "My Group Name", + "searchKey": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref should be defined", + "actualValue": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/test/positive_expected_result.json index e146f915889..078306d265c 100644 --- a/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Shield Advanced Not In Use", "severity": "LOW", "line": 2, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Route53::HostedZone", + "resourceName": "HostedZone", + "searchKey": "Resources.HostedZone", + "searchValue": "", + "expectedValue": "Resources.HostedZone has shield advanced associated", + "actualValue": "Resources.HostedZone does not have shield advanced associated", + "issueType": "MissingAttribute" }, { "queryName": "Shield Advanced Not In Use", "severity": "LOW", "line": 3, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::Route53::HostedZone", + "resourceName": "HostedZone", + "searchKey": "Resources.HostedZone", + "searchValue": "", + "expectedValue": "Resources.HostedZone has shield advanced associated", + "actualValue": "Resources.HostedZone does not have shield advanced associated", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json index 1d2f4f047b0..21b09c5811e 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::SNS::TopicPolicy", + "resourceName": "snsPolicy", + "searchKey": "Resources.snsPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::SNS::TopicPolicy", + "resourceName": "snsPolicy", + "searchKey": "Resources.snsPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 8, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::SNS::TopicPolicy", + "resourceName": "mysnspolicy0", + "searchKey": "Resources.mysnspolicy0.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.mysnspolicy0.Properties.PolicyDocument.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "Resources.mysnspolicy0.Properties.PolicyDocument.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 8, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::SNS::TopicPolicy", + "resourceName": "snsPolicy", + "searchKey": "Resources.snsPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json index 5441937d0bb..904204c936e 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "SNS Topic Publicity Has Allow and NotAction Simultaneously", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::SNS::TopicPolicy", + "resourceName": "mysnspolicy", + "searchKey": "Resources.mysnspolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.mysnspolicy.Properties.PolicyDocument.Statement has Effect 'Allow' and Action", + "actualValue": "Resources.mysnspolicy.Properties.PolicyDocument.Statement has Effect 'Allow' and NotAction", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic Publicity Has Allow and NotAction Simultaneously", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::SNS::TopicPolicy", + "resourceName": "mysnspolicy", + "searchKey": "Resources.mysnspolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.mysnspolicy.Properties.PolicyDocument.Statement has Effect 'Allow' and Action", + "actualValue": "Resources.mysnspolicy.Properties.PolicyDocument.Statement has Effect 'Allow' and NotAction", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/test/positive_expected_result.json index 295f0751270..27ff35447df 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { - "line": 5, - "fileName": "positive1.yaml", "queryName": "SNS Topic Without KmsMasterKeyId", - "severity": "LOW" + "severity": "LOW", + "line": 5, + "filename": "positive1.yaml", + "resourceType": "AWS::SNS::Topic", + "resourceName": "SampleTopic", + "searchKey": "Resources.MySNSTopic.Properties", + "searchValue": "", + "expectedValue": "Resources.MySNSTopic.Properties.KmsMasterKeyId should be defined", + "actualValue": "Resources.MySNSTopic.Properties.KmsMasterKeyId is undefined", + "issueType": "MissingAttribute" }, { - "fileName": "positive2.json", "queryName": "SNS Topic Without KmsMasterKeyId", "severity": "LOW", - "line": 6 + "line": 6, + "filename": "positive2.json", + "resourceType": "AWS::SNS::Topic", + "resourceName": "SampleTopic", + "searchKey": "Resources.MySNSTopic.Properties", + "searchValue": "", + "expectedValue": "Resources.MySNSTopic.Properties.KmsMasterKeyId should be defined", + "actualValue": "Resources.MySNSTopic.Properties.KmsMasterKeyId is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/test/positive_expected_result.json index 130e5bdfa5f..68b6fc5fbea 100644 --- a/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/test/positive_expected_result.json @@ -2,25 +2,53 @@ { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", - "fileName": "positive1.yaml", - "line": 7 + "line": 7, + "filename": "positive1.yaml", + "resourceType": "AWS::SQS::QueuePolicy", + "resourceName": "SampleSQSPolicy", + "searchKey": "Resources.SampleSQSPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal should not have wildcards when Effect=Allow and Action contains one of [SQS:AddPermission, SQS:CreateQueue, SQS:DeleteQueue, SQS:RemovePermission, SQS:TagQueue, SQS:UnTagQueue]", + "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:CreateQueue", + "issueType": "IncorrectValue" }, { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", - "fileName": "positive2.yaml", - "line": 7 + "line": 7, + "filename": "positive2.yaml", + "resourceType": "AWS::SQS::QueuePolicy", + "resourceName": "SampleSQSPolicy", + "searchKey": "Resources.SampleSQSPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal should not have wildcards when Effect=Allow and Action contains one of [SQS:AddPermission, SQS:CreateQueue, SQS:DeleteQueue, SQS:RemovePermission, SQS:TagQueue, SQS:UnTagQueue]", + "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:AddPermission", + "issueType": "IncorrectValue" }, { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", - "fileName": "positive3.json", - "line": 9 + "line": 9, + "filename": "positive3.json", + "resourceType": "AWS::SQS::QueuePolicy", + "resourceName": "SampleSQSPolicy", + "searchKey": "Resources.SampleSQSPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal should not have wildcards when Effect=Allow and Action contains one of [SQS:AddPermission, SQS:CreateQueue, SQS:DeleteQueue, SQS:RemovePermission, SQS:TagQueue, SQS:UnTagQueue]", + "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:CreateQueue", + "issueType": "IncorrectValue" }, { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", - "fileName": "positive4.json", - "line": 9 + "line": 9, + "filename": "positive4.json", + "resourceType": "AWS::SQS::QueuePolicy", + "resourceName": "SampleSQSPolicy", + "searchKey": "Resources.SampleSQSPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal should not have wildcards when Effect=Allow and Action contains one of [SQS:AddPermission, SQS:CreateQueue, SQS:DeleteQueue, SQS:RemovePermission, SQS:TagQueue, SQS:UnTagQueue]", + "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:AddPermission", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json index daedbd3605d..d2ca6e027c3 100644 --- a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::SQS::Queue", + "resourceName": "SampleQueue", + "searchKey": "Resources.MyQueue.Properties", + "searchValue": "", + "expectedValue": "Resources.MyQueue.Properties.KmsMasterKeyId should be set or SqsManagedSseEnabled set to true", + "actualValue": "Resources.MyQueue.Properties.KmsMasterKeyId is undefined and SqsManagedSseEnabled not enabled", + "issueType": "MissingAttribute" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::SQS::Queue", + "resourceName": "SampleQueue", + "searchKey": "Resources.MyQueue2.Properties", + "searchValue": "", + "expectedValue": "Resources.MyQueue2.Properties.KmsMasterKeyId should be set or SqsManagedSseEnabled set to true", + "actualValue": "Resources.MyQueue2.Properties.KmsMasterKeyId is undefined and SqsManagedSseEnabled not enabled", + "issueType": "MissingAttribute" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::SQS::Queue", + "resourceName": "SampleQueue", + "searchKey": "Resources.MyQueue.Properties", + "searchValue": "", + "expectedValue": "Resources.MyQueue.Properties.KmsMasterKeyId should be set or SqsManagedSseEnabled set to true", + "actualValue": "Resources.MyQueue.Properties.KmsMasterKeyId is undefined and SqsManagedSseEnabled not enabled", + "issueType": "MissingAttribute" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::SQS::Queue", + "resourceName": "SampleQueue", + "searchKey": "Resources.MyQueue2.Properties", + "searchValue": "", + "expectedValue": "Resources.MyQueue2.Properties.KmsMasterKeyId should be set or SqsManagedSseEnabled set to true", + "actualValue": "Resources.MyQueue2.Properties.KmsMasterKeyId is undefined and SqsManagedSseEnabled not enabled", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/stack_notifications_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/stack_notifications_disabled/test/positive_expected_result.json index 9d68ba1ee6c..8fa841e6bfc 100644 --- a/assets/queries/cloudFormation/aws/stack_notifications_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/stack_notifications_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Stack Notifications Disabled", "severity": "LOW", "line": 5, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFormation::Stack", + "resourceName": "myStackWithParams", + "searchKey": "Resources.myStackWithParams.Properties", + "searchValue": "", + "expectedValue": "Resources.myStackWithParams.Properties.NotificationARNs should be set", + "actualValue": "Resources.myStackWithParams.Properties.NotificationARNs is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stack Notifications Disabled", "severity": "LOW", "line": 6, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudFormation::Stack", + "resourceName": "myStackWithParams", + "searchKey": "Resources.myStackWithParams.Properties", + "searchValue": "", + "expectedValue": "Resources.myStackWithParams.Properties.NotificationARNs should be set", + "actualValue": "Resources.myStackWithParams.Properties.NotificationARNs is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/stack_retention_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/stack_retention_disabled/test/positive_expected_result.json index f49d35cf0ce..c8f46c01e35 100644 --- a/assets/queries/cloudFormation/aws/stack_retention_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/stack_retention_disabled/test/positive_expected_result.json @@ -3,90 +3,195 @@ "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval", + "searchValue": "", + "expectedValue": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval is true", + "actualValue": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval is false", + "issueType": "IncorrectValue" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset4.Properties.AutoDeployment", + "searchValue": "", + "expectedValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval should be set", + "actualValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 27, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset5.Properties.AutoDeployment.Enabled", + "searchValue": "", + "expectedValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is true", + "actualValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is false", + "issueType": "IncorrectValue" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 35, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset6.Properties.AutoDeployment", + "searchValue": "", + "expectedValue": "Resources.stackset6.Properties.AutoDeployment.Enabled should be set", + "actualValue": "Resources.stackset6.Properties.AutoDeployment.Enabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 39, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset7.Properties", + "searchValue": "", + "expectedValue": "Resources.stackset7.Properties.AutoDeployment should be set", + "actualValue": "Resources.stackset7.Properties.AutoDeployment is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset8.Properties.AutoDeployment.RetainStacksOnAccountRemoval", + "searchValue": "", + "expectedValue": "Resources.stackset8.Properties.AutoDeployment.RetainStacksOnAccountRemoval is true", + "actualValue": "Resources.stackset8.Properties.AutoDeployment.RetainStacksOnAccountRemoval is false", + "issueType": "IncorrectValue" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 22, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset9.Properties.AutoDeployment", + "searchValue": "", + "expectedValue": "Resources.stackset9.Properties.AutoDeployment.RetainStacksOnAccountRemoval should be set", + "actualValue": "Resources.stackset9.Properties.AutoDeployment.RetainStacksOnAccountRemoval is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 34, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset10.Properties.AutoDeployment.Enabled", + "searchValue": "", + "expectedValue": "Resources.stackset10.Properties.AutoDeployment.Enabled is true", + "actualValue": "Resources.stackset10.Properties.AutoDeployment.Enabled is false", + "issueType": "IncorrectValue" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 45, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset11.Properties.AutoDeployment", + "searchValue": "", + "expectedValue": "Resources.stackset11.Properties.AutoDeployment.Enabled should be set", + "actualValue": "Resources.stackset11.Properties.AutoDeployment.Enabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 52, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset12.Properties", + "searchValue": "", + "expectedValue": "Resources.stackset12.Properties.AutoDeployment should be set", + "actualValue": "Resources.stackset12.Properties.AutoDeployment is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 11, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval", + "searchValue": "", + "expectedValue": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval is true", + "actualValue": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval is false", + "issueType": "IncorrectValue" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset4.Properties.AutoDeployment", + "searchValue": "", + "expectedValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval should be set", + "actualValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 27, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset5.Properties.AutoDeployment.Enabled", + "searchValue": "", + "expectedValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is true", + "actualValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is false", + "issueType": "IncorrectValue" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 35, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset6.Properties.AutoDeployment", + "searchValue": "", + "expectedValue": "Resources.stackset6.Properties.AutoDeployment.Enabled should be set", + "actualValue": "Resources.stackset6.Properties.AutoDeployment.Enabled is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 39, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset7.Properties", + "searchValue": "", + "expectedValue": "Resources.stackset7.Properties.AutoDeployment should be set", + "actualValue": "Resources.stackset7.Properties.AutoDeployment is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/support_has_no_role_associated/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/support_has_no_role_associated/test/positive_expected_result.json index 782cd903677..63d12c374e5 100644 --- a/assets/queries/cloudFormation/aws/support_has_no_role_associated/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/support_has_no_role_associated/test/positive_expected_result.json @@ -1,38 +1,80 @@ [ { - "line": 4, - "fileName": "positive1.yaml", "queryName": "Support Has No Role Associated", - "severity": "LOW" + "severity": "LOW", + "line": 4, + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "AWSSupportAccess", + "searchKey": "Resources.noRoles", + "searchValue": "", + "expectedValue": "'Resources.noRoles.Roles' should be set", + "actualValue": "'Resources.noRoles.Roles' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Support Has No Role Associated", "severity": "LOW", "line": 16, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "AWSSupportAccess", + "searchKey": "Resources.noUsers", + "searchValue": "", + "expectedValue": "'Resources.noUsers.Users' should be set", + "actualValue": "'Resources.noUsers.Users' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Support Has No Role Associated", "severity": "LOW", "line": 28, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "AWSSupportAccess", + "searchKey": "Resources.noGroups", + "searchValue": "", + "expectedValue": "'Resources.noGroups.Groups' should be set", + "actualValue": "'Resources.noGroups.Groups' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Support Has No Role Associated", "severity": "LOW", "line": 5, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "AWSSupportAccess", + "searchKey": "Resources.noRoles", + "searchValue": "", + "expectedValue": "'Resources.noRoles.Roles' should be set", + "actualValue": "'Resources.noRoles.Roles' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Support Has No Role Associated", "severity": "LOW", "line": 29, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "AWSSupportAccess", + "searchKey": "Resources.noUsers", + "searchValue": "", + "expectedValue": "'Resources.noUsers.Users' should be set", + "actualValue": "'Resources.noUsers.Users' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Support Has No Role Associated", "severity": "LOW", "line": 53, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "AWSSupportAccess", + "searchKey": "Resources.noGroups", + "searchValue": "", + "expectedValue": "'Resources.noGroups.Groups' should be set", + "actualValue": "'Resources.noGroups.Groups' is undefined", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json index 822c2cc2526..09937f2e5c5 100644 --- a/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json @@ -1,74 +1,158 @@ [ - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 12, - "fileName": "positive1.json" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 21, - "fileName": "positive1.json" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 12, - "fileName": "positive2.yaml" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 19, - "fileName": "positive2.yaml" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 12, - "fileName": "positive3.json" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 21, - "fileName": "positive3.json" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 12, - "fileName": "positive4.yaml" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 19, - "fileName": "positive4.yaml" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 7, - "fileName": "positive5.json" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 17, - "fileName": "positive5.json" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 7, - "fileName": "positive6.yaml" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 15, - "fileName": "positive6.yaml" - } -] \ No newline at end of file + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 12, + "filename": "positive1.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBInstance", + "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 21, + "filename": "positive1.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "MyDBCluster", + "searchKey": "Resources.MyDBCluster.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 12, + "filename": "positive2.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBInstance", + "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 19, + "filename": "positive2.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "MyDBCluster", + "searchKey": "Resources.MyDBCluster.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 12, + "filename": "positive3.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBInstance", + "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 21, + "filename": "positive3.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "MyDBCluster", + "searchKey": "Resources.MyDBCluster.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 12, + "filename": "positive4.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBInstance", + "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 19, + "filename": "positive4.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "MyDBCluster", + "searchKey": "Resources.MyDBCluster.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 7, + "filename": "positive5.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBInstance", + "searchKey": "Resources.MyDBInstance.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 17, + "filename": "positive5.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "MyDBCluster", + "searchKey": "Resources.MyDBCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 7, + "filename": "positive6.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBInstance", + "searchKey": "Resources.MyDBInstance.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 15, + "filename": "positive6.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "MyDBCluster", + "searchKey": "Resources.MyDBCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is not defined", + "issueType": "MissingAttribute" + } +] diff --git a/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/test/positive_expected_result.json index 084553f4de3..3769f7565f2 100644 --- a/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/test/positive_expected_result.json @@ -1,50 +1,106 @@ [ { - "fileName": "positive1.yaml", "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", - "line": 33 - }, - { "line": 18, - "fileName": "positive1.yaml", - "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", - "severity": "MEDIUM" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule2", + "searchKey": "Resources.InboundRule2.Properties.PortRange", + "searchValue": "", + "expectedValue": "Resources.InboundRule2.Properties.PortRange.To should be set", + "actualValue": "Resources.InboundRule2.Properties.PortRange.To is undefined", + "issueType": "MissingAttribute" }, { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", "line": 29, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule3", + "searchKey": "Resources.InboundRule3.Properties.PortRange", + "searchValue": "", + "expectedValue": "Resources.InboundRule3.Properties.PortRange.From should be set", + "actualValue": "Resources.InboundRule3.Properties.PortRange.From is undefined", + "issueType": "MissingAttribute" }, { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", - "line": 49, - "fileName": "positive1.yaml" + "line": 33, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule4", + "searchKey": "Resources.InboundRule4.Properties", + "searchValue": "", + "expectedValue": "Resources.InboundRule4.Properties.PortRange should be set", + "actualValue": "Resources.InboundRule4.Properties.PortRange is undefined", + "issueType": "MissingAttribute" }, { + "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", - "line": 47, - "fileName": "positive2.json", - "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports" + "line": 49, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule5", + "searchKey": "Resources.InboundRule5.Properties.PortRange", + "searchValue": "", + "expectedValue": "Resources.InboundRule5.Properties.PortRange should not allow all ports", + "actualValue": "Resources.InboundRule5.Properties.PortRange allows all ports", + "issueType": "MissingAttribute" }, { + "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.json", - "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports" + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule2", + "searchKey": "Resources.InboundRule2.Properties.PortRange", + "searchValue": "", + "expectedValue": "Resources.InboundRule2.Properties.PortRange.To should be set", + "actualValue": "Resources.InboundRule2.Properties.PortRange.To is undefined", + "issueType": "MissingAttribute" }, { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", "line": 40, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule3", + "searchKey": "Resources.InboundRule3.Properties.PortRange", + "searchValue": "", + "expectedValue": "Resources.InboundRule3.Properties.PortRange.From should be set", + "actualValue": "Resources.InboundRule3.Properties.PortRange.From is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", + "severity": "MEDIUM", + "line": 47, + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule4", + "searchKey": "Resources.InboundRule4.Properties", + "searchValue": "", + "expectedValue": "Resources.InboundRule4.Properties.PortRange should be set", + "actualValue": "Resources.InboundRule4.Properties.PortRange is undefined", + "issueType": "MissingAttribute" }, { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", "line": 61, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule5", + "searchKey": "Resources.InboundRule5.Properties.PortRange", + "searchValue": "", + "expectedValue": "Resources.InboundRule5.Properties.PortRange should not allow all ports", + "actualValue": "Resources.InboundRule5.Properties.PortRange allows all ports", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json index 277b995e388..95a73193823 100644 --- a/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json @@ -3,96 +3,208 @@ "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 10, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 14, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 21, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 30, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 45, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 49, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 56, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 65, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 10, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 16, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 26, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 36, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 51, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 57, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 67, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 77, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/test/positive_expected_result.json index 8436a1ff378..01db2fa3e4c 100644 --- a/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 13, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp should not be open to the world (0.0.0.0/0)", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp is open to the world (0.0.0.0/0)", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 43, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.CidrIpv6 should not be open to the world (::/0)", + "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is open to the world (::/0)", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 30, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.CidrIpv6 should not be open to the world (::/0)", + "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is open to the world (::/0)", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 56, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp should not be open to the world (0.0.0.0/0)", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp is open to the world (0.0.0.0/0)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/unscanned_ecr_image/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/unscanned_ecr_image/test/positive_expected_result.json index ea5c7178c23..c539ad2880a 100644 --- a/assets/queries/cloudFormation/aws/unscanned_ecr_image/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/unscanned_ecr_image/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Unscanned ECR Image", "severity": "LOW", "line": 5, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository3.Properties", + "searchValue": "", + "expectedValue": "Resources.MyRepository3.Properties.ImageScanningConfiguration should be defined", + "actualValue": "Resources.MyRepository3.Properties.ImageScanningConfiguration is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Unscanned ECR Image", "severity": "LOW", "line": 8, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository4.Properties.ImageScanningConfiguration.ScanOnPush", + "searchValue": "", + "expectedValue": "Resources.MyRepository4.Properties.ImageScanningConfiguration.ScanOnPush should be set to true", + "actualValue": "Resources.MyRepository4.Properties.ImageScanningConfiguration.ScanOnPush is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Unscanned ECR Image", "severity": "LOW", "line": 6, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository5.Properties", + "searchValue": "", + "expectedValue": "Resources.MyRepository5.Properties.ImageScanningConfiguration should be defined", + "actualValue": "Resources.MyRepository5.Properties.ImageScanningConfiguration is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Unscanned ECR Image", "severity": "LOW", "line": 9, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository6.Properties.ImageScanningConfiguration.ScanOnPush", + "searchValue": "", + "expectedValue": "Resources.MyRepository6.Properties.ImageScanningConfiguration.ScanOnPush should be set to true", + "actualValue": "Resources.MyRepository6.Properties.ImageScanningConfiguration.ScanOnPush is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json index 951303e8652..95c564b82f5 100644 --- a/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "User Data Contains Encoded Private Key", - "severity": "HIGH", - "line": 12, - "fileName": "positive.json" - }, { - "queryName": "User Data Contains Encoded Private Key", - "severity": "HIGH", - "line": 13, - "fileName": "positive.yaml" - } + "queryName": "User Data Contains Encoded Private Key", + "severity": "HIGH", + "line": 12, + "filename": "positive.json", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "myLaunchConfig3", + "searchKey": "Resources.myLaunchConfig3.Properties.UserData", + "searchValue": "", + "expectedValue": "'Resources.myLaunchConfig3.Properties.UserData' shouldn't contain RSA Private Key", + "actualValue": "'Resources.myLaunchConfig3.Properties.UserData' contains RSA Private Key", + "issueType": "IncorrectValue" + }, + { + "queryName": "User Data Contains Encoded Private Key", + "severity": "HIGH", + "line": 13, + "filename": "positive.yaml", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "myLaunchConfig4", + "searchKey": "Resources.myLaunchConfig4.Properties.UserData", + "searchValue": "", + "expectedValue": "'Resources.myLaunchConfig4.Properties.UserData' shouldn't contain RSA Private Key", + "actualValue": "'Resources.myLaunchConfig4.Properties.UserData' contains RSA Private Key", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/test/positive_expected_result.json index 9bb7a0524e4..3ec53ab3732 100644 --- a/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/test/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.LoginProfile.PasswordResetRequired", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' should be configured as true", + "actualValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' is configured as false", + "issueType": "IncorrectValue" }, { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "newuser", + "searchKey": "Resources.newuser.Properties.LoginProfile", + "searchValue": "", + "expectedValue": "'Resources.newuser.Properties.LoginProfile' should also include PasswordResetRequired property set to true", + "actualValue": "'Resources.newuser.Properties.LoginProfile' contains only Password property", + "issueType": "MissingAttribute" }, { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", "line": 6, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "topuser", + "searchKey": "Resources.topuser.Properties", + "searchValue": "", + "expectedValue": "'Resources.topuser.Properties' should be configured with LoginProfile with PasswordResetRequired property set to true", + "actualValue": "'Resources.topuser.Properties' does not include LoginProfile", + "issueType": "MissingAttribute" }, { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", "line": 38, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.LoginProfile.PasswordResetRequired", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' should be configured as true", + "actualValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' is configured as false", + "issueType": "IncorrectValue" }, { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", "line": 9, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "AWS::IAM::User", + "resourceName": "newuser", + "searchKey": "Resources.newuser.Properties.LoginProfile", + "searchValue": "", + "expectedValue": "'Resources.newuser.Properties.LoginProfile' should also include PasswordResetRequired property set to true", + "actualValue": "'Resources.newuser.Properties.LoginProfile' contains only Password property", + "issueType": "MissingAttribute" }, { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", "line": 7, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "AWS::IAM::User", + "resourceName": "topuser", + "searchKey": "Resources.topuser.Properties", + "searchValue": "", + "expectedValue": "'Resources.topuser.Properties' should be configured with LoginProfile with PasswordResetRequired property set to true", + "actualValue": "'Resources.topuser.Properties' does not include LoginProfile", + "issueType": "MissingAttribute" }, { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", "line": 10, - "fileName": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.LoginProfile.PasswordResetRequired", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' should be configured as true", + "actualValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' is configured as false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/test/positive_expected_result.json index c61700e6a95..58508114460 100644 --- a/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { - "line": 3, - "fileName": "positive1.yaml", "queryName": "VPC Attached With Too Many Gateways", - "severity": "LOW" + "severity": "LOW", + "line": 3, + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::VPC", + "resourceName": "myVPC", + "searchKey": "Resources.myVPC", + "searchValue": "", + "expectedValue": "'Resources.myVPC' should not be attached with a number of gateways close to or out of limit (>3)", + "actualValue": "'Resources.myVPC' is attached with a number of gateways close to or out of limit (>3)", + "issueType": "IncorrectValue" }, { + "queryName": "VPC Attached With Too Many Gateways", "severity": "LOW", "line": 7, - "fileName": "positive2.json", - "queryName": "VPC Attached With Too Many Gateways" + "filename": "positive2.json", + "resourceType": "AWS::EC2::VPC", + "resourceName": "myVPC", + "searchKey": "Resources.myVPC", + "searchValue": "", + "expectedValue": "'Resources.myVPC' should not be attached with a number of gateways close to or out of limit (>3)", + "actualValue": "'Resources.myVPC' is attached with a number of gateways close to or out of limit (>3)", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test/positive_expected_result.json index bfe28c75d9c..2d10a9a40ba 100644 --- a/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "VPC FlowLogs Disabled", "severity": "MEDIUM", "line": 34, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::VPC", + "resourceName": "10.${ClassB}.0.0/16", + "searchKey": "Resources.MyVPC", + "searchValue": "", + "expectedValue": "Resources.MyVPC has a FlowLogs resource associated", + "actualValue": "Resources.MyVPC doesn't have a FlowLogs resource associated", + "issueType": "MissingAttribute" }, { "queryName": "VPC FlowLogs Disabled", "severity": "MEDIUM", "line": 52, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::VPC", + "resourceName": "10.${ClassB}.0.0/16", + "searchKey": "Resources.MyVPC", + "searchValue": "", + "expectedValue": "Resources.MyVPC has a FlowLogs resource associated", + "actualValue": "Resources.MyVPC doesn't have a FlowLogs resource associated", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/test/positive_expected_result.json index f18094de1e3..0b7440fe893 100644 --- a/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { + "queryName": "VPC Without Attached Subnet", "severity": "LOW", "line": 3, - "fileName": "positive1.yaml", - "queryName": "VPC Without Attached Subnet" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::VPC", + "resourceName": "myVPC_1", + "searchKey": "Resources.myVPC_1", + "searchValue": "", + "expectedValue": "'Resources.myVPC_1' should be attached to resources", + "actualValue": "'Resources.myVPC_1' is not attached to resources", + "issueType": "MissingAttribute" }, { + "queryName": "VPC Without Attached Subnet", "severity": "LOW", "line": 4, - "fileName": "positive2.json", - "queryName": "VPC Without Attached Subnet" + "filename": "positive2.json", + "resourceType": "AWS::EC2::VPC", + "resourceName": "myVPC_1", + "searchKey": "Resources.myVPC_1", + "searchValue": "", + "expectedValue": "'Resources.myVPC_1' should be attached to resources", + "actualValue": "'Resources.myVPC_1' is not attached to resources", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/vpc_without_network_firewall/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vpc_without_network_firewall/test/positive_expected_result.json index b950d374c71..1e72eaa1af7 100644 --- a/assets/queries/cloudFormation/aws/vpc_without_network_firewall/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vpc_without_network_firewall/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "VPC Without Network Firewall", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::EC2::VPC", + "resourceName": "myVPC11", + "searchKey": "Resources.myVPC11", + "searchValue": "", + "expectedValue": "'Resources.myVPC11' should be associated with a AWS Network Firewall", + "actualValue": "'Resources.myVPC11' is not associated with a AWS Network Firewall", + "issueType": "MissingAttribute" }, { "queryName": "VPC Without Network Firewall", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "AWS::EC2::VPC", + "resourceName": "myVPC11", + "searchKey": "Resources.myVPC11", + "searchValue": "", + "expectedValue": "'Resources.myVPC11' should be associated with a AWS Network Firewall", + "actualValue": "'Resources.myVPC11' is not associated with a AWS Network Firewall", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json index efa932ba894..03c316c4175 100644 --- a/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", + "searchValue": "MinimumProtocolVersion", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion should be defined", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", + "searchValue": "SslSupportMethod", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod should be defined", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.CloudfrontDefaultCertificate", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.CloudfrontDefaultCertificate should be set to 'false' or not defined.", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.CloudfrontDefaultCertificate is 'true'.", + "issueType": "IncorrectValue" }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", "line": 8, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", + "searchValue": "MinimumProtocolVersion", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion should be defined", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", "line": 8, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", + "searchValue": "SslSupportMethod", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod should be defined", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", "line": 9, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.CloudfrontDefaultCertificate", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.CloudfrontDefaultCertificate should be set to 'false' or not defined.", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.CloudfrontDefaultCertificate is 'true'.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/test/positive_expected_result.json index 9261cd50989..0211788f576 100644 --- a/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Permissive Web ACL Default Action", "severity": "HIGH", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::WAF::WebACL", + "resourceName": "WebACL to with three rules", + "searchKey": "Resources.MyWebACL.Properties.DefaultAction.Type", + "searchValue": "", + "expectedValue": "Resources.MyWebACL.Properties.DefaultAction.Type should not be ALLOW", + "actualValue": "Resources.MyWebACL.Properties.DefaultAction.Type is set to ALLOW", + "issueType": "IncorrectValue" }, { - "fileName": "positive2.json", "queryName": "Permissive Web ACL Default Action", "severity": "HIGH", - "line": 8 + "line": 8, + "filename": "positive2.json", + "resourceType": "AWS::WAF::WebACL", + "resourceName": "WebACL to with three rules", + "searchKey": "Resources.MyWebACL.Properties.DefaultAction.Type", + "searchValue": "", + "expectedValue": "Resources.MyWebACL.Properties.DefaultAction.Type should not be ALLOW", + "actualValue": "Resources.MyWebACL.Properties.DefaultAction.Type is set to ALLOW", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/test/positive_expected_result.json index a71ab61a364..e17d11ff591 100644 --- a/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Wildcard In ACM Certificate Domain Name", "severity": "LOW", "line": 16, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::CertificateManager::Certificate", + "resourceName": "Certificate", + "searchKey": "Resources.Certificate.Properties.DomainName", + "searchValue": "", + "expectedValue": "'Resources.Certificate.Properties.DomainName' should not contain '*'", + "actualValue": "'Resources.Certificate.Properties.DomainName' contains '*'", + "issueType": "IncorrectValue" }, { - "line": 19, - "fileName": "positive2.json", "queryName": "Wildcard In ACM Certificate Domain Name", - "severity": "LOW" + "severity": "LOW", + "line": 19, + "filename": "positive2.json", + "resourceType": "AWS::CertificateManager::Certificate", + "resourceName": "Certificate", + "searchKey": "Resources.Certificate.Properties.DomainName", + "searchValue": "", + "expectedValue": "'Resources.Certificate.Properties.DomainName' should not contain '*'", + "actualValue": "'Resources.Certificate.Properties.DomainName' contains '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws/workspace_without_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/workspace_without_encryption/test/positive_expected_result.json index 492408cd150..4dd5710e072 100644 --- a/assets/queries/cloudFormation/aws/workspace_without_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/workspace_without_encryption/test/positive_expected_result.json @@ -2,25 +2,53 @@ { "queryName": "Workspace Without Encryption", "severity": "HIGH", - "line": 14, - "fileName": "positive2.yaml" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "AWS::WorkSpaces::Workspace", + "resourceName": "MyWorkSpace", + "searchKey": "Resources.MyWorkSpace.Properties", + "searchValue": "", + "expectedValue": "Resources.MyWorkSpace.Properties should have the property UserVolumeEncryptionEnabled set to true", + "actualValue": "Resources.MyWorkSpace.Properties does not have the UserVolumeEncryptionEnabled property set", + "issueType": "MissingAttribute" }, { "queryName": "Workspace Without Encryption", "severity": "HIGH", - "line": 4, - "fileName": "positive1.yaml" + "line": 14, + "filename": "positive2.yaml", + "resourceType": "AWS::WorkSpaces::Workspace", + "resourceName": "MyWorkSpace2", + "searchKey": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled", + "searchValue": "", + "expectedValue": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled should be set to true", + "actualValue": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "Workspace Without Encryption", "severity": "HIGH", "line": 5, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "AWS::WorkSpaces::Workspace", + "resourceName": "MyWorkSpace", + "searchKey": "Resources.MyWorkSpace.Properties", + "searchValue": "", + "expectedValue": "Resources.MyWorkSpace.Properties should have the property UserVolumeEncryptionEnabled set to true", + "actualValue": "Resources.MyWorkSpace.Properties does not have the UserVolumeEncryptionEnabled property set", + "issueType": "MissingAttribute" }, { "queryName": "Workspace Without Encryption", "severity": "HIGH", "line": 17, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "AWS::WorkSpaces::Workspace", + "resourceName": "MyWorkSpace2", + "searchKey": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled", + "searchValue": "", + "expectedValue": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled should be set to true", + "actualValue": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled is not set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_bom/cassandra/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/cassandra/test/positive_expected_result.json index 9a4886944cb..4a835802b3c 100644 --- a/assets/queries/cloudFormation/aws_bom/cassandra/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/cassandra/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "BOM - AWS Cassandra", "severity": "TRACE", "line": 3, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.myNewTable1", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS Cassandra", "severity": "TRACE", "line": 3, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.myNewTable2", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/cloudFormation/aws_bom/dynamo/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/dynamo/test/positive_expected_result.json index 76e5be3bb50..76519ad45d6 100644 --- a/assets/queries/cloudFormation/aws_bom/dynamo/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/dynamo/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 27, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DynamoDBOnDemandTable2", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 27, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DynamoDBOnDemandTable2", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 27, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DynamoDBOnDemandTable2", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 3, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DynamoDBOnDemandTable2", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 27, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DynamoDBOnDemandTable2", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/cloudFormation/aws_bom/ebs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/ebs/test/positive_expected_result.json index 66e4e4b2449..c08c496a934 100644 --- a/assets/queries/cloudFormation/aws_bom/ebs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/ebs/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 5, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 4, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 5, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 4, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 5, - "fileName": "positive6.json" + "filename": "positive6.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/cloudFormation/aws_bom/efs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/efs/test/positive_expected_result.json index 5a8b206a58a..783176d5fff 100644 --- a/assets/queries/cloudFormation/aws_bom/efs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/efs/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "BOM - AWS EFS", "severity": "TRACE", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.FileSystemResource", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS EFS", "severity": "TRACE", "line": 4, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.FileSystemResource", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS EFS", "severity": "TRACE", "line": 4, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.FileSystemResource", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS EFS", "severity": "TRACE", "line": 4, - "fileName": "positive4.json" + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.FileSystemResource", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/cloudFormation/aws_bom/elasticache/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/elasticache/test/positive_expected_result.json index 1b8078706e0..431081e0fcf 100644 --- a/assets/queries/cloudFormation/aws_bom/elasticache/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/elasticache/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 2, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.ElasticacheCluster", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 3, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.ElasticacheCluster", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 2, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.ElasticacheCluster", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/cloudFormation/aws_bom/kinesis/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/kinesis/test/positive_expected_result.json index d144cd06d85..7624332c3ab 100644 --- a/assets/queries/cloudFormation/aws_bom/kinesis/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/kinesis/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "BOM - AWS Kinesis", "severity": "TRACE", "line": 3, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.MyStream", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS Kinesis", "severity": "TRACE", "line": 4, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.MyStream2", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/cloudFormation/aws_bom/mq/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/mq/test/positive_expected_result.json index f2de8ddc34b..8778877a1a2 100644 --- a/assets/queries/cloudFormation/aws_bom/mq/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/mq/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "BOM - AWS MQ", "severity": "TRACE", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.BasicBroker", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS MQ", "severity": "TRACE", "line": 5, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.BasicBroker2", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS MQ", "severity": "TRACE", "line": 4, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.BasicBroker", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/cloudFormation/aws_bom/msk/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/msk/test/positive_expected_result.json index 26872452549..c8fbf2f5809 100644 --- a/assets/queries/cloudFormation/aws_bom/msk/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/msk/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "BOM - AWS MSK", "severity": "TRACE", "line": 3, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.TestCluster", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS MSK", "severity": "TRACE", "line": 4, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.TestCluster3", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/cloudFormation/aws_bom/rds/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/rds/test/positive_expected_result.json index 31443e3f791..36a0ede1af8 100644 --- a/assets/queries/cloudFormation/aws_bom/rds/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/rds/test/positive_expected_result.json @@ -3,54 +3,117 @@ "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 4, - "fileName": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceSample1", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 4, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceSample2", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 14, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceRefSample2", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 4, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceSample3", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 14, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceRefSample3", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 3, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceSample4", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 3, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceSample5", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 3, - "fileName": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceSample6", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 3, - "fileName": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceSample5", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/cloudFormation/aws_bom/s3_bucket/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/s3_bucket/test/positive_expected_result.json index 4552773fb76..9dea73b01b4 100644 --- a/assets/queries/cloudFormation/aws_bom/s3_bucket/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/s3_bucket/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.MyBucket", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 5, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.JenkinsArtifacts03", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/cloudFormation/aws_bom/sns/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/sns/test/positive_expected_result.json index f0fefd2b232..81114bfcec6 100644 --- a/assets/queries/cloudFormation/aws_bom/sns/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/sns/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "BOM - AWS SNS", "severity": "TRACE", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.SnsTopic", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS SNS", "severity": "TRACE", "line": 5, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.SnsTopic", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/cloudFormation/aws_bom/sqs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/sqs/test/positive_expected_result.json index d6f7e4b7816..e222aa57b14 100644 --- a/assets/queries/cloudFormation/aws_bom/sqs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/sqs/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "BOM - AWS SQS", "severity": "TRACE", "line": 2, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.MyQueue", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS SQS", "severity": "TRACE", "line": 3, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.MyQueue", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json index 8501c081577..db2d62cfccd 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Serverless API Access Logging Setting Undefined", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi", + "searchKey": "Resources.ApiGatewayApi.Properties", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi.Properties.%!d(string=AccessLogSetting) should be defined and not null", + "actualValue": "Resources.ApiGatewayApi.Properties.%!d(string=AccessLogSetting) is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Serverless API Access Logging Setting Undefined", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::Serverless::HttpApi", + "resourceName": "HttpApi", + "searchKey": "Resources.HttpApi.Properties", + "searchValue": "", + "expectedValue": "Resources.HttpApi.Properties.%!d(string=AccessLogSettings) should be defined and not null", + "actualValue": "Resources.HttpApi.Properties.%!d(string=AccessLogSettings) is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/test/positive_expected_result.json index 16af5f0a76b..b9eac517ef5 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Serverless API Cache Cluster Disabled", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi", + "searchKey": "Resources.ApiGatewayApi.Properties", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi.Properties.CacheClusterEnabled should be defined and not null", + "actualValue": "Resources.ApiGatewayApi.Properties.CacheClusterEnabled is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Serverless API Cache Cluster Disabled", "severity": "LOW", "line": 10, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi2", + "searchKey": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled should be set to true", + "actualValue": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Serverless API Cache Cluster Disabled", "severity": "LOW", "line": 10, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi2", + "searchKey": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled should be set to true", + "actualValue": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/test/positive_expected_result.json index 66879c8a540..82f9b86c596 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Serverless API Endpoint Config Not Private", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi", + "searchKey": "Resources.ApiGatewayApi.Properties", + "searchValue": "", + "expectedValue": "'Resources.ApiGatewayApi.EndpointConfiguration' should be defined and not null", + "actualValue": "'Resources.ApiGatewayApi.EndpointConfiguration' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Serverless API Endpoint Config Not Private", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi2", + "searchKey": "Resources.ApiGatewayApi2.Properties.EndpointConfiguration", + "searchValue": "", + "expectedValue": "'Resources.ApiGatewayApi2.EndpointConfiguration.Types' should be defined and not null", + "actualValue": "'Resources.ApiGatewayApi2.EndpointConfiguration.Types' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Serverless API Endpoint Config Not Private", "severity": "MEDIUM", "line": 12, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi3", + "searchKey": "Resources.ApiGatewayApi3.Properties.EndpointConfiguration.Types", + "searchValue": "", + "expectedValue": "'Resources.ApiGatewayApi3.EndpointConfiguration.Types' should contain 'PRIVATE'", + "actualValue": "'Resources.ApiGatewayApi3.EndpointConfiguration.Types' does not contain 'PRIVATE'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/test/positive_expected_result.json index 7c2c2079915..3ae1477336b 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Serverless API Without Content Encoding", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi", + "searchKey": "Resources.ApiGatewayApi.Properties", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi.Properties.MinimumCompressionSize should be defined and not null", + "actualValue": "Resources.ApiGatewayApi.Properties.MinimumCompressionSize is not defined or null", + "issueType": "MissingAttribute" }, { "queryName": "Serverless API Without Content Encoding", "severity": "LOW", "line": 19, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi2", + "searchKey": "Resources.ApiGatewayApi2.Properties.MinimumCompressionSize", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi2.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.ApiGatewayApi2.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759", + "issueType": "IncorrectValue" }, { "queryName": "Serverless API Without Content Encoding", "severity": "LOW", "line": 19, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi3", + "searchKey": "Resources.ApiGatewayApi3.Properties.MinimumCompressionSize", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi3.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.ApiGatewayApi3.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/test/positive_expected_result.json index 9b3580ba2f5..f0ebc529be8 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Serverless API X-Ray Tracing Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi", + "searchKey": "Resources.ApiGatewayApi.Properties", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi.Properties.TracingEnabled should be defined and not null", + "actualValue": "Resources.ApiGatewayApi.Properties.TracingEnabled is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Serverless API X-Ray Tracing Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi2", + "searchKey": "Resources.ApiGatewayApi2.Properties.TracingEnabled", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi2.Properties.TracingEnabled should be set to true", + "actualValue": "Resources.ApiGatewayApi2.Properties.TracingEnabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Serverless API X-Ray Tracing Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi2", + "searchKey": "Resources.ApiGatewayApi2.Properties.TracingEnabled", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi2.Properties.TracingEnabled should be set to true", + "actualValue": "Resources.ApiGatewayApi2.Properties.TracingEnabled is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json index 90ecf9fd811..e388795c3ce 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Serverless Function Environment Variables Not Encrypted", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function", + "searchKey": "Resources.Function.Properties", + "searchValue": "", + "expectedValue": "'Resources.Function.Properties.KmsKeyArn' should be defined and not null", + "actualValue": "'Resources.Function.Properties.KmsKeyArn' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/test/positive_expected_result.json index 80a3a4a0aca..0b03cf2753b 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Serverless Function Without Dead Letter Queue", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function", + "searchKey": "Resources.Function.Properties", + "searchValue": "", + "expectedValue": "'Resources.Function.Properties.DeadLetterConfig' should be defined and not null", + "actualValue": "'Resources.Function.Properties.DeadLetterConfig' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/test/positive_expected_result.json index 52d67c40a52..b440b41f38e 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Serverless Function Without Tags", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function", + "searchKey": "Resources.Function.Properties", + "searchValue": "", + "expectedValue": "'Resources.Function.Properties.Tags' should be defined and not null", + "actualValue": "'Resources.Function.Properties.Tags' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/test/positive_expected_result.json index 97fa6f898f5..8e8058d47b1 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Serverless Function Without Unique IAM Role", "severity": "HIGH", "line": 19, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function1", + "searchKey": "Resources.Function1.Properties.Role", + "searchValue": "", + "expectedValue": "Resource.Function1.Properties.Role is only assigned to the function in question", + "actualValue": "Resource.Function1.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue" }, { "queryName": "Serverless Function Without Unique IAM Role", "severity": "HIGH", "line": 34, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function2", + "searchKey": "Resources.Function2.Properties.Role", + "searchValue": "", + "expectedValue": "Resource.Function2.Properties.Role is only assigned to the function in question", + "actualValue": "Resource.Function2.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue" }, { "queryName": "Serverless Function Without Unique IAM Role", "severity": "HIGH", "line": 19, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function1", + "searchKey": "Resources.Function1.Properties.Role", + "searchValue": "", + "expectedValue": "Resource.Function1.Properties.Role is only assigned to the function in question", + "actualValue": "Resource.Function1.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue" }, { "queryName": "Serverless Function Without Unique IAM Role", "severity": "HIGH", "line": 34, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function2", + "searchKey": "Resources.Function2.Properties.Role", + "searchValue": "", + "expectedValue": "Resource.Function2.Properties.Role is only assigned to the function in question", + "actualValue": "Resource.Function2.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/test/positive_expected_result.json index 14dd9db9ab2..d2fb58e3ff0 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Serverless Function Without X-Ray Tracing", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function1", + "searchKey": "Resources.Function1.Properties", + "searchValue": "", + "expectedValue": "Property 'TracingConfig' should be defined and not null", + "actualValue": "Property 'TracingConfig' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Serverless Function Without X-Ray Tracing", "severity": "LOW", "line": 19, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function2", + "searchKey": "Resources.Function2.Properties.Tracing", + "searchValue": "", + "expectedValue": "'Tracing' should be set to 'Active'", + "actualValue": "'Tracing' is set to 'PassThrough'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json index e29ad869f20..c321548d307 100644 --- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json +++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json @@ -3,462 +3,1001 @@ "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 8, - "fileName": "positive1.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 6, - "fileName": "positive2.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 7, - "fileName": "positive3.yaml" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 9, - "fileName": "positive4.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Secret", - "severity": "HIGH", - "line": 2, - "fileName": "positive5.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 3, - "fileName": "positive6.dockerfile" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 7, - "fileName": "positive6.dockerfile" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 8, - "fileName": "positive7.tf" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 4, - "fileName": "positive8.json" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line":7, - "fileName": "positive8.json" - }, - { - "queryName": "Passwords And Secrets - Generic Password", - "severity": "HIGH", - "line": 8, - "fileName": "positive9.tf" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Password in URL", "severity": "HIGH", "line": 7, - "fileName": "positive10.json" + "filename": "positive10.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Slack Webhook", "severity": "HIGH", "line": 17, - "fileName": "positive10.json" + "filename": "positive10.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - MSTeams Webhook", "severity": "HIGH", "line": 27, - "fileName": "positive10.json" + "filename": "positive10.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Password in URL", "severity": "HIGH", "line": 7, - "fileName": "positive11.yaml" + "filename": "positive11.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Slack Webhook", "severity": "HIGH", "line": 9, - "fileName": "positive11.yaml" + "filename": "positive11.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - MSTeams Webhook", "severity": "HIGH", "line": 11, - "fileName": "positive11.yaml" + "filename": "positive11.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 8, - "fileName": "positive12.json" + "filename": "positive12.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Password in URL", "severity": "HIGH", "line": 11, - "fileName": "positive12.json" + "filename": "positive12.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Slack Webhook", "severity": "HIGH", "line": 15, - "fileName": "positive12.json" + "filename": "positive12.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - MSTeams Webhook", "severity": "HIGH", "line": 19, - "fileName": "positive12.json" + "filename": "positive12.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Asymmetric private key", "severity": "HIGH", "line": 6, - "fileName": "positive13.tf" + "filename": "positive13.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - AWS Access Key", "severity": "HIGH", "line": 17, - "fileName": "positive14.tf" + "filename": "positive14.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - AWS Secret Key", "severity": "HIGH", "line": 18, - "fileName": "positive14.tf" + "filename": "positive14.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - AWS Access Key", "severity": "HIGH", "line": 14, - "fileName": "positive15.tf" + "filename": "positive15.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - AWS Secret Key", "severity": "HIGH", "line": 15, - "fileName": "positive15.tf" + "filename": "positive15.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - K8s Environment Variable Password", "severity": "HIGH", "line": 34, - "fileName": "positive16.yaml" + "filename": "positive16.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - K8s Environment Variable Password", "severity": "HIGH", "line": 36, - "fileName": "positive16.yaml" + "filename": "positive16.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 7, - "fileName": "positive17.tf" + "filename": "positive17.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Google OAuth", "severity": "HIGH", "line": 5, - "fileName": "positive18.tf" + "filename": "positive18.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Slack Token", "severity": "HIGH", "line": 2, - "fileName": "positive19.tf" + "filename": "positive19.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 6, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Stripe API Key", "severity": "HIGH", "line": 2, - "fileName": "positive20.tf" + "filename": "positive20.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Google API Key", "severity": "HIGH", "line": 50, - "fileName": "positive21.tf" + "filename": "positive21.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Heroku API Key", "severity": "HIGH", "line": 3, - "fileName": "positive22.tf" + "filename": "positive22.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Token", "severity": "HIGH", "line": 3, - "fileName": "positive23.tf" + "filename": "positive23.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic API Key", "severity": "HIGH", "line": 4, - "fileName": "positive24.tf" + "filename": "positive24.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Square Access Token", "severity": "HIGH", "line": 3, - "fileName": "positive25.dockerfile" + "filename": "positive25.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Picatic API Key", "severity": "HIGH", "line": 5, - "fileName": "positive25.dockerfile" + "filename": "positive25.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Amazon MWS Auth Token", "severity": "HIGH", "line": 7, - "fileName": "positive25.dockerfile" + "filename": "positive25.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - MailChimp API Key", "severity": "HIGH", "line": 9, - "fileName": "positive25.dockerfile" + "filename": "positive25.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - SendGrid API Key", "severity": "HIGH", "line": 11, - "fileName": "positive25.dockerfile" + "filename": "positive25.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Private Key", "severity": "HIGH", "line": 9, - "fileName": "positive26.yaml" + "filename": "positive26.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Token", "severity": "HIGH", "line": 5, - "fileName": "positive27.yaml" + "filename": "positive27.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Token", "severity": "HIGH", "line": 22, - "fileName": "positive27.yaml" + "filename": "positive27.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Token", "severity": "HIGH", "line": 5, - "fileName": "positive28.yaml" + "filename": "positive28.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Mailgun API Key", "severity": "HIGH", "line": 2, - "fileName": "positive29.tf" + "filename": "positive29.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 7, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Stripe Restricted API Key", "severity": "HIGH", "line": 2, - "fileName": "positive30.tf" + "filename": "positive30.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Twilio API Key", "severity": "HIGH", "line": 4, - "fileName": "positive31.yaml" + "filename": "positive31.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - PayPal Braintree Access Token", "severity": "HIGH", "line": 4, - "fileName": "positive32.yaml" + "filename": "positive32.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Facebook Access Token", "severity": "HIGH", "line": 13, - "fileName": "positive33.yaml" + "filename": "positive33.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Square OAuth Secret", "severity": "HIGH", "line": 13, - "fileName": "positive34.yaml" + "filename": "positive34.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Google OAuth Access Token", "severity": "HIGH", "line": 13, - "fileName": "positive35.yaml" + "filename": "positive35.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Putty User Key File Content", "severity": "HIGH", "line": 5, - "fileName": "positive36.tf" + "filename": "positive36.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Secret", "severity": "HIGH", "line": 14, - "fileName": "positive37.tf" + "filename": "positive37.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - CloudFormation Secret Template", "severity": "HIGH", "line": 16, - "fileName": "positive38.yaml" + "filename": "positive38.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Secret", "severity": "HIGH", "line": 3, - "fileName": "positive39.tf" + "filename": "positive39.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 9, + "filename": "positive4.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - AWS Context-specific credential", "severity": "HIGH", "line": 14, - "fileName": "positive40.tf" + "filename": "positive40.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - AWS Certificate", "severity": "HIGH", "line": 15, - "fileName": "positive40.tf" + "filename": "positive40.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Asymmetric private key", "severity": "HIGH", "line": 6, - "fileName": "positive41.tf" + "filename": "positive41.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Access Key", "severity": "HIGH", "line": 7, - "fileName": "positive42.tf" + "filename": "positive42.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Token", "severity": "HIGH", "line": 5, - "fileName": "positive43.yaml" + "filename": "positive43.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Secret", "severity": "HIGH", "line": 17, - "fileName": "positive44.yaml" + "filename": "positive44.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 9, - "fileName": "positive45.tf" + "filename": "positive45.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 20, - "fileName": "positive46.yaml" + "filename": "positive46.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 21, - "fileName": "positive46.yaml" + "filename": "positive46.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Google OAuth", "severity": "HIGH", "line": 5, - "fileName": "positive47.tf" + "filename": "positive47.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Secret", "severity": "HIGH", "line": 6, - "fileName": "positive47.tf" + "filename": "positive47.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 8, - "fileName": "positive48.tf" + "filename": "positive48.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Private Key", "severity": "HIGH", "line": 7, - "fileName": "positive49.yml" + "filename": "positive49.yml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" + }, + { + "queryName": "Passwords And Secrets - Generic Secret", + "severity": "HIGH", + "line": 2, + "filename": "positive5.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple", "severity": "HIGH", "line": 56, - "fileName": "positive50.yaml" + "filename": "positive50.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple", "severity": "HIGH", "line": 68, - "fileName": "positive50.yaml" + "filename": "positive50.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Dockerfile ENV hardcoded password with omitted equals", "severity": "HIGH", "line": 4, - "fileName": "positive51.dockerfile" + "filename": "positive51.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 4, - "fileName": "positive52.dockerfile" + "filename": "positive52.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 54, - "fileName": "positive53.json" + "filename": "positive53.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 8, - "fileName": "positive54.tf" + "filename": "positive54.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 14, - "fileName": "positive54.tf" + "filename": "positive54.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" }, { "queryName": "Passwords And Secrets - Generic Secret", "severity": "HIGH", "line": 4, - "fileName": "positive55.json" + "filename": "positive55.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 3, + "filename": "positive6.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 7, + "filename": "positive6.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 8, + "filename": "positive7.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 4, + "filename": "positive8.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 7, + "filename": "positive8.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" + }, + { + "queryName": "Passwords And Secrets - Generic Password", + "severity": "HIGH", + "line": 8, + "filename": "positive9.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json index d22a547d757..3bceb7d2fd4 100644 --- a/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", "line": 12, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.logging.enabled", + "searchValue": "", + "expectedValue": "CloudFront logging enabled attribute should be set to true", + "actualValue": "CloudFront logging enabled attribute is set to false", + "issueType": "IncorrectValue" }, { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", "line": 50, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.logging.enabled", + "searchValue": "", + "expectedValue": "CloudFront logging enabled attribute should be set to true", + "actualValue": "CloudFront logging enabled attribute is set to false", + "issueType": "IncorrectValue" }, { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", + "searchValue": "", + "expectedValue": "CloudFront logging enabled attribute should be defined and set to true", + "actualValue": "CloudFront logging is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", "line": 41, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", + "searchValue": "", + "expectedValue": "CloudFront logging enabled attribute should be defined and set to true", + "actualValue": "CloudFront logging is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", "line": 11, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.logging", + "searchValue": "", + "expectedValue": "CloudFront logging enabled attribute should be defined and set to true", + "actualValue": "CloudFront enable is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", "line": 47, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.logging", + "searchValue": "", + "expectedValue": "CloudFront logging enabled attribute should be defined and set to true", + "actualValue": "CloudFront enable is not defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json index 7147bac5f34..a141c22534a 100644 --- a/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", "line": 14, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate.minimumProtocolVersion", + "searchValue": "", + "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be TLSv1.2_x", + "actualValue": "'viewerCertificate.minimumProtocolVersion' is TLSv1.1_2016", + "issueType": "IncorrectValue" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", "line": 54, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate.minimumProtocolVersion", + "searchValue": "", + "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be TLSv1.2_x", + "actualValue": "'viewerCertificate.minimumProtocolVersion' is TLSv1.1_2016", + "issueType": "IncorrectValue" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", + "searchValue": "", + "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", + "actualValue": "'viewerCertificate' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", "line": 44, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", + "searchValue": "", + "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", + "actualValue": "'viewerCertificate' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", "line": 11, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate", + "searchValue": "", + "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", + "actualValue": "'minimumProtocolVersion' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", "line": 50, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate", + "searchValue": "", + "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", + "actualValue": "'minimumProtocolVersion' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudfront_without_waf/test/positive_expected_result.json index 89078c0250b..d5bed5f4808 100644 --- a/assets/queries/crossplane/aws/cloudfront_without_waf/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/cloudfront_without_waf/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "CloudFront Without WAF", "severity": "MEDIUM", "line": 8, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", + "searchValue": "", + "expectedValue": "'webACLID' should be defined", + "actualValue": "'webACLID' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Without WAF", "severity": "MEDIUM", "line": 48, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", + "searchValue": "", + "expectedValue": "'webACLID' should be defined", + "actualValue": "'webACLID' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json index 077082aa587..2fe9fc2fa4e 100644 --- a/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", "line": 9, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "LogGroup", + "resourceName": "lg-3", + "searchKey": "metadata.name={{lg-3}}.spec.forProvider.retentionInDays", + "searchValue": "", + "expectedValue": "retentionInDays should be set to a valid value", + "actualValue": "retentionInDays is set to a invalid value", + "issueType": "IncorrectValue" }, { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", "line": 38, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "LogGroup", + "resourceName": "lg-4", + "searchKey": "spec.resources.base.metadata.name={{lg-4}}.spec.forProvider.retentionInDays", + "searchValue": "", + "expectedValue": "retentionInDays should be set to a valid value", + "actualValue": "retentionInDays is set to a invalid value", + "issueType": "IncorrectValue" }, { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", "line": 6, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "LogGroup", + "resourceName": "lg-5", + "searchKey": "metadata.name={{lg-5}}.spec.forProvider", + "searchValue": "", + "expectedValue": "retentionInDays should be set to a valid value", + "actualValue": "retentionInDays is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", "line": 34, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "LogGroup", + "resourceName": "lg-6", + "searchKey": "spec.resources.base.metadata.name={{lg-6}}.spec.forProvider", + "searchValue": "", + "expectedValue": "retentionInDays should be set to a valid value", + "actualValue": "retentionInDays is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json index 0496d93bb96..f326f4668c8 100644 --- a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "DB Instance Storage Not Encrypted", "severity": "HIGH", "line": 21, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "RDSInstance", + "resourceName": "rds3", + "searchKey": "metadata.name={{rds3}}.spec.forProvider.storageEncrypted", + "searchValue": "", + "expectedValue": "storageEncrypted should be set to true", + "actualValue": "storageEncrypted is set to false", + "issueType": "IncorrectValue" }, { "queryName": "DB Instance Storage Not Encrypted", "severity": "HIGH", "line": 63, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "RDSInstance", + "resourceName": "rds4", + "searchKey": "spec.resources.base.metadata.name={{rds4}}.spec.forProvider.storageEncrypted", + "searchValue": "", + "expectedValue": "storageEncrypted should be set to true", + "actualValue": "storageEncrypted is set to false", + "issueType": "IncorrectValue" }, { "queryName": "DB Instance Storage Not Encrypted", "severity": "HIGH", "line": 6, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "RDSInstance", + "resourceName": "rds5", + "searchKey": ".metadata.name={{rds5}}.spec.forProvider", + "searchValue": "", + "expectedValue": "storageEncrypted should be defined and set to true", + "actualValue": "storageEncrypted is not defined", + "issueType": "MissingAttribute" }, { "queryName": "DB Instance Storage Not Encrypted", "severity": "HIGH", "line": 47, - "fileName": "positive2.yaml" - } + "filename": "positive2.yaml", + "resourceType": "RDSInstance", + "resourceName": "rds6", + "searchKey": "spec.resources.base..metadata.name={{rds6}}.spec.forProvider", + "searchValue": "", + "expectedValue": "storageEncrypted should be defined and set to true", + "actualValue": "storageEncrypted is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json b/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json index 388655a694f..e2ab7118ed2 100644 --- a/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "DB Security Group Has Public Interface", "severity": "HIGH", "line": 17, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "SecurityGroup", + "resourceName": "ec2-rule2", + "searchKey": "metadata.name={{ec2-rule2}}.spec.forProvider.ingress.ipRanges.cidrIp={{0.0.0.0/0}}", + "searchValue": "", + "expectedValue": "ingress rule should not contain '0.0.0.0/0'", + "actualValue": "ingress rule contains '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "DB Security Group Has Public Interface", "severity": "HIGH", "line": 55, - "fileName": "positive.yaml" - } + "filename": "positive.yaml", + "resourceType": "SecurityGroup", + "resourceName": "ec2-rule5", + "searchKey": "spec.resources.base.metadata.name={{ec2-rule5}}.spec.forProvider.ingress.ipRanges.cidrIp={{0.0.0.0/0}}", + "searchValue": "", + "expectedValue": "ingress rule should not contain '0.0.0.0/0'", + "actualValue": "ingress rule contains '0.0.0.0/0'", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/crossplane/aws/docdb_logging_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/docdb_logging_disabled/test/positive_expected_result.json index c683dbe070f..5616621e8fc 100644 --- a/assets/queries/crossplane/aws/docdb_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/docdb_logging_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "DBCluster", + "resourceName": "example-cluster-autogen-password", + "searchKey": "metadata.name={{example-cluster-autogen-password}}.spec.forProvider", + "searchValue": "", + "expectedValue": "DBCluster.enableCloudwatchLogsExports should be defined", + "actualValue": "DBCluster.enableCloudwatchLogsExports is undefined", + "issueType": "MissingAttribute" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 26, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "DBCluster", + "resourceName": "example-cluster-autogen-password", + "searchKey": "metadata.name={{example-cluster-autogen-password}}.spec.forProvider.enableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "DBCluster.enableCloudwatchLogsExports should have all following values: audit, profiler", + "actualValue": "DBCluster.enableCloudwatchLogsExports has the following missing values: audit, profiler", + "issueType": "IncorrectValue" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 26, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "DBCluster", + "resourceName": "example-cluster-autogen-password", + "searchKey": "metadata.name={{example-cluster-autogen-password}}.spec.forProvider.enableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "DBCluster.enableCloudwatchLogsExports should have all following values: audit, profiler", + "actualValue": "DBCluster.enableCloudwatchLogsExports has the following missing values: profiler", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/test/positive_expected_result.json index 53fb9b09db0..767e502692e 100644 --- a/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", "line": 6, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Cluster", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.forProvider", + "searchValue": "", + "expectedValue": "Cluster.spec.forProvider.settings should be defined and have a ClusterSetting which name is 'containerInsights' with 'enabled' value", + "actualValue": "Cluster.spec.forProvider.settings is not defined", + "issueType": "MissingAttribute" }, { "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", "line": 8, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Cluster", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.forProvider.settings", + "searchValue": "", + "expectedValue": "Cluster.spec.forProvider.settings should have a ClusterSetting which name is 'containerInsights' with 'enabled' value", + "actualValue": "Cluster.spec.forProvider.settings doesn't have a ClusterSetting which name is 'containerInsights' with 'enabled' value", + "issueType": "MissingAttribute" }, { "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", "line": 8, - "fileName": "positive3.yaml" - } + "filename": "positive3.yaml", + "resourceType": "Cluster", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.forProvider.settings", + "searchValue": "", + "expectedValue": "Cluster.spec.forProvider.settings should have a ClusterSetting which name is 'containerInsights' with 'enabled' value", + "actualValue": "Cluster.spec.forProvider.settings doesn't have a ClusterSetting which name is 'containerInsights' with 'enabled' value", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json b/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json index b566c873588..2689372110f 100644 --- a/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "EFS Not Encrypted", "severity": "HIGH", "line": 8, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "FileSystem", + "resourceName": "example3", + "searchKey": "metadata.name={{example3}}.spec.forProvider.encrypted", + "searchValue": "", + "expectedValue": "encrypted should be set to true", + "actualValue": "encrypted is set to false", + "issueType": "IncorrectValue" }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", "line": 38, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "FileSystem", + "resourceName": "example4", + "searchKey": "spec.resources.base.metadata.name={{example4}}.spec.forProvider.encrypted", + "searchValue": "", + "expectedValue": "encrypted should be set to true", + "actualValue": "encrypted is set to false", + "issueType": "IncorrectValue" }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", "line": 6, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "FileSystem", + "resourceName": "example5", + "searchKey": "metadata.name={{example5}}.spec.forProvider", + "searchValue": "", + "expectedValue": "encrypted should be defined and set to true", + "actualValue": "encrypted is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", "line": 35, - "fileName": "positive2.yaml" - } + "filename": "positive2.yaml", + "resourceType": "FileSystem", + "resourceName": "example6", + "searchKey": "spec.resources.base.metadata.name={{example6}}.spec.forProvider", + "searchValue": "", + "expectedValue": "encrypted should be defined and set to true", + "actualValue": "encrypted is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/crossplane/aws/efs_without_kms/test/positive_expected_result.json b/assets/queries/crossplane/aws/efs_without_kms/test/positive_expected_result.json index d4dd72b8200..dd95c06767e 100644 --- a/assets/queries/crossplane/aws/efs_without_kms/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/efs_without_kms/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "EFS Without KMS", "severity": "LOW", "line": 6, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "FileSystem", + "resourceName": "example3", + "searchKey": "metadata.name={{example3}}.spec.forProvider", + "searchValue": "", + "expectedValue": "kmsKeyID should be defined", + "actualValue": "kmsKeyID is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EFS Without KMS", "severity": "LOW", "line": 36, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "FileSystem", + "resourceName": "example4", + "searchKey": "spec.resources.base.metadata.name={{example4}}.spec.forProvider", + "searchValue": "", + "expectedValue": "kmsKeyID should be defined", + "actualValue": "kmsKeyID is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive_expected_result.json b/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive_expected_result.json index 9839c2318a3..39219ffeba1 100644 --- a/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", "line": 18, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Listener", + "resourceName": "test-listener", + "searchKey": "metadata.name={{test-listener}}.spec.forProvider.sslPolicy", + "searchValue": "", + "expectedValue": "sslPolicy should use a secure protocol or cipher", + "actualValue": "sslPolicy is using a weak cipher", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", "line": 58, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Listener", + "resourceName": "test-listener2", + "searchKey": "spec.resources.base.metadata.name={{test-listener2}}.spec.forProvider.sslPolicy", + "searchValue": "", + "expectedValue": "sslPolicy should use a secure protocol or cipher", + "actualValue": "sslPolicy is using a weak cipher", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json index a9b0dca7046..edcad6960ad 100644 --- a/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", "line": 6, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "DBCluster", + "resourceName": "sample-cluster3", + "searchKey": "metadata.name={{sample-cluster3}}.spec.forProvider", + "searchValue": "", + "expectedValue": "storageEncrypted should be defined and set to true", + "actualValue": "storageEncrypted is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", "line": 40, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "DBCluster", + "resourceName": "sample-cluster4", + "searchKey": "spec.resources.base.metadata.name={{sample-cluster4}}.spec.forProvider", + "searchValue": "", + "expectedValue": "storageEncrypted should be defined and set to true", + "actualValue": "storageEncrypted is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", "line": 15, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "DBCluster", + "resourceName": "sample-cluster3", + "searchKey": "metadata.name={{sample-cluster3}}.spec.forProvider.storageEncrypted", + "searchValue": "", + "expectedValue": "storageEncrypted should be defined and set to true", + "actualValue": "storageEncrypted is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", "line": 50, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "DBCluster", + "resourceName": "sample-cluster4", + "searchKey": "spec.resources.base.metadata.name={{sample-cluster4}}.spec.forProvider.storageEncrypted", + "searchValue": "", + "expectedValue": "storageEncrypted should be defined and set to true", + "actualValue": "storageEncrypted is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index e3a013bb08e..3534ba369b2 100644 --- a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "RDSInstance", + "resourceName": "sample-cluster3", + "searchKey": "metadata.name={{sample-cluster3}}.spec.forProvider.publiclyAccessible", + "searchValue": "", + "expectedValue": "publiclyAccessible should be set to false", + "actualValue": "publiclyAccessible is set to true", + "issueType": "MissingAttribute" }, { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 11, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "RDSInstance", + "resourceName": "my-rds-instance", + "searchKey": "metadata.name={{my-rds-instance}}.spec.forProvider.dbSubnetGroupName", + "searchValue": "", + "expectedValue": "dbSubnetGroupName' subnets not being part of a VPC that has an Internet gateway attached to it", + "actualValue": "dbSubnetGroupName' subnets are part of a VPC that has an Internet gateway attached to it", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive_expected_result.json index 3cfc042ed8d..071fc8f14c4 100644 --- a/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Queue", + "resourceName": "test-queue3", + "searchKey": "metadata.name={{test-queue3}}.spec.forProvider", + "searchValue": "", + "expectedValue": "kmsMasterKeyId should be defined", + "actualValue": "kmsMasterKeyId is not defined", + "issueType": "MissingAttribute" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 40, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Queue", + "resourceName": "test-queue4", + "searchKey": "spec.resources.base.metadata.name={{test-queue4}}.spec.forProvider", + "searchValue": "", + "expectedValue": "kmsMasterKeyId should be defined", + "actualValue": "kmsMasterKeyId is not defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json b/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json index 1c265a231ce..f70fd5ca559 100644 --- a/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "AKS RBAC Disabled", "severity": "MEDIUM", "line": 13, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "AKSCluster", + "resourceName": "anais-crossplane-demo", + "searchKey": "metadata.name={{anais-crossplane-demo}}.spec.disableRBAC", + "searchValue": "", + "expectedValue": "disableRBAC should be set to false", + "actualValue": "disableRBAC is set to true", + "issueType": "IncorrectValue" }, { "queryName": "AKS RBAC Disabled", "severity": "MEDIUM", "line": 40, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "AKSCluster", + "resourceName": "anais-crossplane-demo", + "searchKey": "spec.resources.base.metadata.name={{anais-crossplane-demo}}.spec.disableRBAC", + "searchValue": "", + "expectedValue": "disableRBAC should be set to false", + "actualValue": "disableRBAC is set to true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json b/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json index 794ace29ea3..70e33fdffa1 100644 --- a/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json +++ b/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Redis Cache Allows Non SSL Connections", "severity": "MEDIUM", "line": 14, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Redis", + "resourceName": "azureRedis3", + "searchKey": "metadata.name={{azureRedis3}}.spec.forProvider.enableNonSslPort", + "searchValue": "", + "expectedValue": "enableNonSslPort should be set to false or undefined", + "actualValue": "enableNonSslPort is set to true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json b/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json index 011456b8a0d..72722e2cce5 100644 --- a/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Cloud Storage Bucket Logging Not Enabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Bucket", + "resourceName": "bucketSample", + "searchKey": "metadata.name={{bucketSample}}.spec", + "searchValue": "", + "expectedValue": "Bucket logging should be defined", + "actualValue": "Bucket logging is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json index 1c81ab5ef46..05fb33cab97 100644 --- a/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "NodePool", + "resourceName": "cluster-np", + "searchKey": "metadata.name={{cluster-np}}.spec.forProvider", + "searchValue": "", + "expectedValue": "management should be defined with autoRepair set to true", + "actualValue": "management is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", "line": 27, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "NodePool", + "resourceName": "cluster-np", + "searchKey": "metadata.name={{cluster-np}}.spec.forProvider.management.autoRepair", + "searchValue": "", + "expectedValue": "autoRepair should be set to true", + "actualValue": "autoRepair is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/dockerCompose/cgroup_not_default/test/positive_expected_result.json b/assets/queries/dockerCompose/cgroup_not_default/test/positive_expected_result.json index 9e2cf0047c4..59ff5effdf4 100644 --- a/assets/queries/dockerCompose/cgroup_not_default/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/cgroup_not_default/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Cgroup Not Default", - "severity": "MEDIUM", - "line": 9, - "filename": "positive1.yaml" - } + { + "queryName": "Cgroup Not Default", + "severity": "MEDIUM", + "line": 9, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.iperfclient.cgroup_parent", + "searchValue": "", + "expectedValue": "Cgroup_parent should be undefined", + "actualValue": "Cgroup_parent is defined. Only use this when strictly required.", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json b/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json index 476e375f089..3367a79817a 100644 --- a/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json @@ -2,31 +2,66 @@ { "queryName": "Container Capabilities Unrestricted", "severity": "MEDIUM", - "line": 13, - "filename": "positive1.yaml" + "line": 4, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp", + "searchValue": "", + "expectedValue": "Docker compose file to have 'cap_drop' attribute", + "actualValue": "Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.", + "issueType": "MissingAttribute" }, { "queryName": "Container Capabilities Unrestricted", "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml" + "line": 13, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.cap_add", + "searchValue": "", + "expectedValue": "Make sure you only add the necessary capabilities to your container.", + "actualValue": "Docker compose file has 'cap_add' attribute.", + "issueType": "IncorrectValue" }, { "queryName": "Container Capabilities Unrestricted", "severity": "MEDIUM", "line": 13, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.cap_add", + "searchValue": "", + "expectedValue": "Make sure you only add the necessary capabilities to your container.", + "actualValue": "Docker compose file has 'cap_add' attribute.", + "issueType": "IncorrectValue" }, { "queryName": "Container Capabilities Unrestricted", "severity": "MEDIUM", "line": 13, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.cap_add", + "searchValue": "", + "expectedValue": "Make sure you only add the necessary capabilities to your container.", + "actualValue": "Docker compose file has 'cap_add' attribute.", + "issueType": "IncorrectValue" }, { "queryName": "Container Capabilities Unrestricted", "severity": "MEDIUM", "line": 4, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp", + "searchValue": "", + "expectedValue": "Docker compose file to have 'cap_drop' attribute", + "actualValue": "Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive_expected_result.json b/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive_expected_result.json index cda368e50d8..48a1da16ac1 100644 --- a/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Container Traffic Not Bound To Host Interface", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute bound to a specific host interface.", + "actualValue": "Docker compose file doesn't have 'ports' attribute bound to a specific host interface", + "issueType": "IncorrectValue" }, { "queryName": "Container Traffic Not Bound To Host Interface", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute bound to a specific host interface.", + "actualValue": "Docker compose file doesn't have 'ports' attribute bound to a specific host interface", + "issueType": "IncorrectValue" }, { "queryName": "Container Traffic Not Bound To Host Interface", "severity": "MEDIUM", "line": 11, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute bound to a specific host interface.", + "actualValue": "Docker compose file doesn't have 'ports' attribute bound to a specific host interface", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/dockerCompose/cpus_not_limited/test/positive_expected_result.json b/assets/queries/dockerCompose/cpus_not_limited/test/positive_expected_result.json index ba658c797a9..5f852b4d893 100644 --- a/assets/queries/dockerCompose/cpus_not_limited/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/cpus_not_limited/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Cpus Not Limited", "severity": "LOW", "line": 9, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop.deploy.resources.limits", + "searchValue": "", + "expectedValue": "'deploy.resources.limits.cpus' should be defined", + "actualValue": "'deploy.resources.limits.cpus' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Cpus Not Limited", "severity": "LOW", "line": 4, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.criwhat", + "searchValue": "", + "expectedValue": "For cpus priority should be declared.", + "actualValue": "There is no cpus priority declared.", + "issueType": "MissingAttribute" }, { "queryName": "Cpus Not Limited", "severity": "LOW", "line": 3, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop", + "searchValue": "", + "expectedValue": "'deploy.resources.limits.cpus' should be defined", + "actualValue": "'deploy' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Cpus Not Limited", "severity": "LOW", "line": 7, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop.deploy", + "searchValue": "", + "expectedValue": "'deploy.resources' should be defined", + "actualValue": "'deploy.resources' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Cpus Not Limited", "severity": "LOW", "line": 5, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.redis.deploy", + "searchValue": "", + "expectedValue": "'deploy.resources' should be defined", + "actualValue": "'deploy.resources' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Cpus Not Limited", "severity": "LOW", "line": 8, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop.deploy.resources", + "searchValue": "", + "expectedValue": "'deploy.resources.limits' should be defined", + "actualValue": "'deploy.resources.limits' is not defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/dockerCompose/default_seccomp_profile_disabled/test/positive_expected_result.json b/assets/queries/dockerCompose/default_seccomp_profile_disabled/test/positive_expected_result.json index 29d6e88b80a..9301ecb1d83 100644 --- a/assets/queries/dockerCompose/default_seccomp_profile_disabled/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/default_seccomp_profile_disabled/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Default Seccomp Profile Disabled", - "severity": "MEDIUM", - "line": 13, - "filename": "positive1.yaml" - }, - { - "queryName": "Default Seccomp Profile Disabled", - "severity": "MEDIUM", - "line": 10, - "filename": "positive2.yaml" - } + { + "queryName": "Default Seccomp Profile Disabled", + "severity": "MEDIUM", + "line": 13, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.demo.security_opt", + "searchValue": "", + "expectedValue": "Seccomp default profile to not be disabled.", + "actualValue": "Seccomp default profile is disabled.", + "issueType": "IncorrectValue" + }, + { + "queryName": "Default Seccomp Profile Disabled", + "severity": "MEDIUM", + "line": 10, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.example.security_opt", + "searchValue": "", + "expectedValue": "Seccomp default profile to not be disabled.", + "actualValue": "Seccomp default profile is disabled.", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/dockerCompose/docker_socket_mounted_in_container/test/positive_expected_result.json b/assets/queries/dockerCompose/docker_socket_mounted_in_container/test/positive_expected_result.json index c078e90a7fb..e0d6a3574f3 100644 --- a/assets/queries/dockerCompose/docker_socket_mounted_in_container/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/docker_socket_mounted_in_container/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Docker Socket Mounted In Container", - "severity": "HIGH", - "line": 9, - "filename": "positive1.yaml" - } + { + "queryName": "Docker Socket Mounted In Container", + "severity": "HIGH", + "line": 9, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.service1.volumes", + "searchValue": "", + "expectedValue": "To not have docker socket named 'docker.sock' mounted in a volume", + "actualValue": "There is a docker socket named 'docker.sock' mounted in a volume", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/dockerCompose/healthcheck_not_set/test/positive_expected_result.json b/assets/queries/dockerCompose/healthcheck_not_set/test/positive_expected_result.json index 22272ad13eb..e73e4eb0589 100644 --- a/assets/queries/dockerCompose/healthcheck_not_set/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/healthcheck_not_set/test/positive_expected_result.json @@ -1,20 +1,41 @@ [ - { - "queryName": "Healthcheck Not Set", - "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml" - }, - { - "queryName": "Healthcheck Not Set", - "severity": "MEDIUM", - "line": 14, - "filename": "positive2.yaml" - }, - { - "queryName": "Healthcheck Not Set", - "severity": "MEDIUM", - "line": 14, - "filename": "positive3.yaml" - } + { + "queryName": "Healthcheck Not Set", + "severity": "MEDIUM", + "line": 4, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.lelele-service", + "searchValue": "", + "expectedValue": "Healthcheck should be defined.", + "actualValue": "Healthcheck is not defined.", + "issueType": "MissingAttribute" + }, + { + "queryName": "Healthcheck Not Set", + "severity": "MEDIUM", + "line": 14, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.lelele-service.healthcheck.disable", + "searchValue": "", + "expectedValue": "Healthcheck should be enabled.", + "actualValue": "Healthcheck is disabled.", + "issueType": "IncorrectValue" + }, + { + "queryName": "Healthcheck Not Set", + "severity": "MEDIUM", + "line": 14, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.lelele-service.healthcheck.test", + "searchValue": "", + "expectedValue": "Healthcheck should be enabled.", + "actualValue": "Healthcheck is disabled.", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/dockerCompose/host_namespace_is_shared/test/positive_expected_result.json b/assets/queries/dockerCompose/host_namespace_is_shared/test/positive_expected_result.json index 3a17ab2508c..681ab8af043 100644 --- a/assets/queries/dockerCompose/host_namespace_is_shared/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/host_namespace_is_shared/test/positive_expected_result.json @@ -1,20 +1,41 @@ [ - { - "queryName": "Host Namespace is Shared", - "severity": "MEDIUM", - "line": 10, - "filename": "positive1.yaml" - }, - { - "queryName": "Host Namespace is Shared", - "severity": "MEDIUM", - "line": 6, - "filename": "positive2.yaml" - }, - { - "queryName": "Host Namespace is Shared", - "severity": "MEDIUM", - "line": 11, - "filename": "positive3.yaml" - } - ] + { + "queryName": "Host Namespace is Shared", + "severity": "MEDIUM", + "line": 10, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.service_name_1.pid", + "searchValue": "", + "expectedValue": "There shouldn't be pid mode declared as host", + "actualValue": "There is a pid mode declared as host", + "issueType": "IncorrectValue" + }, + { + "queryName": "Host Namespace is Shared", + "severity": "MEDIUM", + "line": 6, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.service_name_2.pid", + "searchValue": "", + "expectedValue": "There shouldn't be pid mode declared as host", + "actualValue": "There is a pid mode declared as host", + "issueType": "IncorrectValue" + }, + { + "queryName": "Host Namespace is Shared", + "severity": "MEDIUM", + "line": 11, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.internal.pid", + "searchValue": "", + "expectedValue": "There shouldn't be pid mode declared as host", + "actualValue": "There is a pid mode declared as host", + "issueType": "IncorrectValue" + } +] diff --git a/assets/queries/dockerCompose/memory_not_limited/test/positive_expected_result.json b/assets/queries/dockerCompose/memory_not_limited/test/positive_expected_result.json index dc2ba07fd8e..ff31cd36a7b 100644 --- a/assets/queries/dockerCompose/memory_not_limited/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/memory_not_limited/test/positive_expected_result.json @@ -1,38 +1,80 @@ [ - { - "queryName": "Memory Not Limited", - "severity": "MEDIUM", - "line": 9, - "filename": "positive1.yaml" - }, - { - "queryName": "Memory Not Limited", - "severity": "MEDIUM", - "line": 4, - "filename": "positive2.yaml" - }, - { - "queryName": "Memory Not Limited", - "severity": "MEDIUM", - "line": 3, - "filename": "positive3.yaml" - }, - { - "queryName": "Memory Not Limited", - "severity": "MEDIUM", - "line": 7, - "filename": "positive3.yaml" - }, - { - "queryName": "Memory Not Limited", - "severity": "MEDIUM", - "line": 8, - "filename": "positive4.yaml" - }, - { - "queryName": "Memory Not Limited", - "severity": "MEDIUM", - "line": 5, - "filename": "positive5.yaml" - } - ] + { + "queryName": "Memory Not Limited", + "severity": "MEDIUM", + "line": 9, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop.deploy.resources.limits", + "searchValue": "", + "expectedValue": "'deploy.resources.limits.memory' should be defined", + "actualValue": "'deploy.resources.limits.memory' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Memory Not Limited", + "severity": "MEDIUM", + "line": 4, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.criwhat", + "searchValue": "", + "expectedValue": "For mem_limit should be declared.", + "actualValue": "There is no mem_limit declared.", + "issueType": "MissingAttribute" + }, + { + "queryName": "Memory Not Limited", + "severity": "MEDIUM", + "line": 3, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop", + "searchValue": "", + "expectedValue": "'deploy.resources.limits.memory' should be defined", + "actualValue": "'deploy' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Memory Not Limited", + "severity": "MEDIUM", + "line": 7, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop.deploy", + "searchValue": "", + "expectedValue": "'deploy.resources' should be defined", + "actualValue": "'deploy.resources' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Memory Not Limited", + "severity": "MEDIUM", + "line": 8, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop.deploy.resources", + "searchValue": "", + "expectedValue": "'deploy.resources.limits' should be defined", + "actualValue": "'deploy.resources.limits' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Memory Not Limited", + "severity": "MEDIUM", + "line": 5, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.redis.deploy", + "searchValue": "", + "expectedValue": "'deploy.resources' should be defined", + "actualValue": "'deploy.resources' is not defined", + "issueType": "MissingAttribute" + } +] diff --git a/assets/queries/dockerCompose/no_new_privileges_not_set/test/positive_expected_result.json b/assets/queries/dockerCompose/no_new_privileges_not_set/test/positive_expected_result.json index 904cf5d83a0..cbe6879f3a6 100644 --- a/assets/queries/dockerCompose/no_new_privileges_not_set/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/no_new_privileges_not_set/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "No New Privileges Not Set", - "severity": "HIGH", - "line": 12, - "filename": "positive1.yaml" - }, - { - "queryName": "No New Privileges Not Set", - "severity": "HIGH", - "line": 12, - "filename": "positive2.yaml" - } + { + "queryName": "No New Privileges Not Set", + "severity": "HIGH", + "line": 12, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.service-service-service.security_opt", + "searchValue": "", + "expectedValue": "no-new-privileges should be set in security_opt.", + "actualValue": "no-new-privileges is not set in security_opt", + "issueType": "MissingAttribute" + }, + { + "queryName": "No New Privileges Not Set", + "severity": "HIGH", + "line": 12, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.service-service-service.security_opt", + "searchValue": "", + "expectedValue": "no-new-privileges should be set in security_opt.", + "actualValue": "no-new-privileges is not set in security_opt", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/dockerCompose/pids_limit_not_set/test/positive_expected_result.json b/assets/queries/dockerCompose/pids_limit_not_set/test/positive_expected_result.json index c662bfd1292..8680ec27ced 100644 --- a/assets/queries/dockerCompose/pids_limit_not_set/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/pids_limit_not_set/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Pids Limit Not Set", - "severity": "MEDIUM", - "line": 7, - "filename": "positive1.yaml" - }, - { - "queryName": "Pids Limit Not Set", - "severity": "MEDIUM", - "line": 12, - "filename": "positive2.yaml" - } + { + "queryName": "Pids Limit Not Set", + "severity": "MEDIUM", + "line": 7, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.auth", + "searchValue": "", + "expectedValue": "Pids_limit should be defined.", + "actualValue": "Pids_limit is not defined.", + "issueType": "MissingAttribute" + }, + { + "queryName": "Pids Limit Not Set", + "severity": "MEDIUM", + "line": 12, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.auth.pids_limit", + "searchValue": "", + "expectedValue": "Pids_limit should be limited.", + "actualValue": "Pids_limit is not limited.", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/dockerCompose/privileged_containers_enabled/test/positive_expected_result.json b/assets/queries/dockerCompose/privileged_containers_enabled/test/positive_expected_result.json index 880f3c8359a..2ff067e4b04 100644 --- a/assets/queries/dockerCompose/privileged_containers_enabled/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/privileged_containers_enabled/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Privileged Containers Enabled", - "severity": "HIGH", - "line": 10, - "filename": "positive1.yaml" - }, - { - "queryName": "Privileged Containers Enabled", - "severity": "HIGH", - "line": 13, - "filename": "positive2.yaml" - } + { + "queryName": "Privileged Containers Enabled", + "severity": "HIGH", + "line": 10, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.privileged", + "searchValue": "", + "expectedValue": "Docker compose file to have 'privileged' attribute set to false or not set", + "actualValue": "Docker compose file has 'privileged' attribute as true", + "issueType": "IncorrectValue" + }, + { + "queryName": "Privileged Containers Enabled", + "severity": "HIGH", + "line": 13, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.privileged", + "searchValue": "", + "expectedValue": "Docker compose file to have 'privileged' attribute set to false or not set", + "actualValue": "Docker compose file has 'privileged' attribute as true", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/dockerCompose/privileged_ports_mapped_in_container/test/positive_expected_result.json b/assets/queries/dockerCompose/privileged_ports_mapped_in_container/test/positive_expected_result.json index 4f29698ae01..12504201b0e 100644 --- a/assets/queries/dockerCompose/privileged_ports_mapped_in_container/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/privileged_ports_mapped_in_container/test/positive_expected_result.json @@ -1,80 +1,171 @@ [ - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 12, - "filename": "positive1.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive7.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive5.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive2.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive4.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive8.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 5, - "filename": "positive1.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive10.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive6.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive11.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive3.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive9.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive12.yaml" - } + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 5, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.dhcpd.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 12, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.dhcp_client.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "filename": "positive10.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "filename": "positive11.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "filename": "positive12.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "filename": "positive9.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/test/positive_expected_result.json b/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/test/positive_expected_result.json index bf96e318d8c..2febc333310 100644 --- a/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "Restart Policy On Failure Not Set To 5", "severity": "MEDIUM", "line": 6, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.customer.restart", + "searchValue": "", + "expectedValue": "on-failure restart attempts should be 5", + "actualValue": "on-failure restart attempts are not 5", + "issueType": "IncorrectValue" }, { "queryName": "Restart Policy On Failure Not Set To 5", "severity": "MEDIUM", "line": 17, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.customer.deploy.restart_policy.max_attempts", + "searchValue": "", + "expectedValue": "on-failure restart attempts should be 5", + "actualValue": "on-failure restart attempts are not 5", + "issueType": "IncorrectValue" }, { "queryName": "Restart Policy On Failure Not Set To 5", "severity": "MEDIUM", "line": 15, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.name_of_service.restart", + "searchValue": "", + "expectedValue": "on-failure restart attempts should be 5", + "actualValue": "on-failure restart attempts are not 5", + "issueType": "IncorrectValue" }, { "queryName": "Restart Policy On Failure Not Set To 5", "severity": "MEDIUM", "line": 6, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.customer.restart", + "searchValue": "", + "expectedValue": "on-failure restart attempts should be 5", + "actualValue": "on-failure restart attempts are not 5", + "issueType": "IncorrectValue" }, { "queryName": "Restart Policy On Failure Not Set To 5", "severity": "MEDIUM", "line": 17, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.customer.deploy.restart_policy.max_attempts", + "searchValue": "", + "expectedValue": "on-failure restart attempts should be 5", + "actualValue": "on-failure restart attempts are not 5", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/dockerCompose/security_opt_not_set/test/positive_expected_result.json b/assets/queries/dockerCompose/security_opt_not_set/test/positive_expected_result.json index 5f83e948915..5201908f65b 100644 --- a/assets/queries/dockerCompose/security_opt_not_set/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/security_opt_not_set/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Security Opt Not Set", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp", + "searchValue": "", + "expectedValue": "Docker compose file to have 'security_opt' attribute", + "actualValue": "Docker compose file does not have 'security_opt' attribute", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/dockerCompose/shared_host_ipc_namespace/test/positive_expected_result.json b/assets/queries/dockerCompose/shared_host_ipc_namespace/test/positive_expected_result.json index 3963d4a3f4e..6c4d1823789 100644 --- a/assets/queries/dockerCompose/shared_host_ipc_namespace/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/shared_host_ipc_namespace/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Shared Host IPC Namespace", - "severity": "MEDIUM", - "line": 10, - "filename": "positive1.yaml" - }, - { - "queryName": "Shared Host IPC Namespace", - "severity": "MEDIUM", - "line": 13, - "filename": "positive2.yaml" - } + { + "queryName": "Shared Host IPC Namespace", + "severity": "MEDIUM", + "line": 10, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.privileged", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ipc' attribute not set to host, or not set", + "actualValue": "Docker compose file has 'ipc' attribute as host", + "issueType": "IncorrectValue" + }, + { + "queryName": "Shared Host IPC Namespace", + "severity": "MEDIUM", + "line": 13, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.privileged", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ipc' attribute not set to host, or not set", + "actualValue": "Docker compose file has 'ipc' attribute as host", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/dockerCompose/shared_host_network_namespace/test/positive_expected_result.json b/assets/queries/dockerCompose/shared_host_network_namespace/test/positive_expected_result.json index 049396ca1ed..ba31d4715fe 100644 --- a/assets/queries/dockerCompose/shared_host_network_namespace/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/shared_host_network_namespace/test/positive_expected_result.json @@ -1,9 +1,15 @@ [ - { - "queryName": "Shared Host Network Namespace", - "severity": "MEDIUM", - "line": 11, - "filename": "positive1.yaml" - } - ] - \ No newline at end of file + { + "queryName": "Shared Host Network Namespace", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.mongo.network_mode", + "searchValue": "", + "expectedValue": "There shouldn't be network mode declared as host", + "actualValue": "There is a network mode declared as host", + "issueType": "IncorrectValue" + } +] diff --git a/assets/queries/dockerCompose/shared_host_user_namespace/test/positive_expected_result.json b/assets/queries/dockerCompose/shared_host_user_namespace/test/positive_expected_result.json index 24517d5ef89..15827711f59 100644 --- a/assets/queries/dockerCompose/shared_host_user_namespace/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/shared_host_user_namespace/test/positive_expected_result.json @@ -3,7 +3,13 @@ "queryName": "Shared Host User Namespace", "severity": "MEDIUM", "line": 9, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.service1.userns_mode", + "searchValue": "", + "expectedValue": "Attribute 'userns_mode' should not be set or not set to host", + "actualValue": "Attribute 'userns_mode' is set to host", + "issueType": "IncorrectValue" } ] - \ No newline at end of file diff --git a/assets/queries/dockerCompose/shared_volumes_between_containers/test/positive_expected_result.json b/assets/queries/dockerCompose/shared_volumes_between_containers/test/positive_expected_result.json index 4036243d3a3..ef23bb84191 100644 --- a/assets/queries/dockerCompose/shared_volumes_between_containers/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/shared_volumes_between_containers/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ - { - "queryName": "Shared Volumes Between Containers", - "severity": "INFO", - "line": 9, - "filename": "positive1.yaml" - }, - { - "queryName": "Shared Volumes Between Containers", - "severity": "INFO", - "line": 16, - "filename": "positive1.yaml" - }, - { - "queryName": "Shared Volumes Between Containers", - "severity": "INFO", - "line": 8, - "filename": "positive2.yaml" - }, - { - "queryName": "Shared Volumes Between Containers", - "severity": "INFO", - "line": 17, - "filename": "positive2.yaml" - } + { + "queryName": "Shared Volumes Between Containers", + "severity": "INFO", + "line": 9, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.frontend.volumes", + "searchValue": "shared", + "expectedValue": "There shouldn't be volumes shared between containers", + "actualValue": "Volume ./logic:/app shared between containers", + "issueType": "IncorrectValue" + }, + { + "queryName": "Shared Volumes Between Containers", + "severity": "INFO", + "line": 16, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.backend.volumes", + "searchValue": "shared", + "expectedValue": "There shouldn't be volumes shared between containers", + "actualValue": "Volume ./logic:/app shared between containers", + "issueType": "IncorrectValue" + }, + { + "queryName": "Shared Volumes Between Containers", + "severity": "INFO", + "line": 8, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.app.volumes", + "searchValue": "created-and-shared", + "expectedValue": "There shouldn't be volumes created and shared between containers", + "actualValue": "Volume shared-volume created and shared between containers", + "issueType": "IncorrectValue" + }, + { + "queryName": "Shared Volumes Between Containers", + "severity": "INFO", + "line": 17, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.checker.volumes", + "searchValue": "created-and-shared", + "expectedValue": "There shouldn't be volumes created and shared between containers", + "actualValue": "Volume shared-volume created and shared between containers", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive_expected_result.json b/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive_expected_result.json index 0c70a091734..715d5f99fe4 100644 --- a/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ - { - "queryName": "Volume Has Sensitive Host Directory", - "severity": "HIGH", - "line": 11, - "filename": "positive1.yaml" - }, - { - "queryName": "Volume Has Sensitive Host Directory", - "severity": "HIGH", - "line": 18, - "filename": "positive2.yaml" - }, - { - "queryName": "Volume Has Sensitive Host Directory", - "severity": "HIGH", - "line": 14, - "filename": "positive3.yaml" - }, - { - "queryName": "Volume Has Sensitive Host Directory", - "severity": "HIGH", - "line": 11, - "filename": "positive4.yaml" - } + { + "queryName": "Volume Has Sensitive Host Directory", + "severity": "HIGH", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.backup.volumes", + "searchValue": "", + "expectedValue": "There shouldn't be sensitive directory mounted as a volume", + "actualValue": "There is a sensitive directory (/var/lib/backup/data) mounted as a volume", + "issueType": "IncorrectValue" + }, + { + "queryName": "Volume Has Sensitive Host Directory", + "severity": "HIGH", + "line": 18, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "volumes.vol.driver_opts.device", + "searchValue": "", + "expectedValue": "There shouldn't be sensitive directory mounted as a volume", + "actualValue": "There is a sensitive directory (/var/lib/backup/data) mounted as a volume", + "issueType": "IncorrectValue" + }, + { + "queryName": "Volume Has Sensitive Host Directory", + "severity": "HIGH", + "line": 14, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "volumes.wp-content.driver_opts.mountpoint", + "searchValue": "", + "expectedValue": "There shouldn't be sensitive directory mounted as a volume", + "actualValue": "There is a sensitive directory (/var/data) mounted as a volume", + "issueType": "IncorrectValue" + }, + { + "queryName": "Volume Has Sensitive Host Directory", + "severity": "HIGH", + "line": 11, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.yesno.volumes.source", + "searchValue": "", + "expectedValue": "There shouldn't be sensitive directory mounted as a volume", + "actualValue": "There is a sensitive directory (/etc/exercise) mounted as a volume", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/test/positive_expected_result.json b/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/test/positive_expected_result.json index 09452900a9e..f6a6f6aee59 100644 --- a/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ - { - "queryName": "Volume Mounted In Multiple Containers", - "severity": "HIGH", - "line": 15, - "filename": "positive1.yaml" - }, - { - "queryName": "Volume Mounted In Multiple Containers", - "severity": "HIGH", - "line": 15, - "filename": "positive2.yaml" - }, - { - "queryName": "Volume Mounted In Multiple Containers", - "severity": "HIGH", - "line": 15, - "filename": "positive3.yaml" - }, - { - "queryName": "Volume Mounted In Multiple Containers", - "severity": "HIGH", - "line": 15, - "filename": "positive4.yaml" - } + { + "queryName": "Volume Mounted In Multiple Containers", + "severity": "HIGH", + "line": 15, + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.old8k.volumes.bind.propagation", + "searchValue": "", + "expectedValue": "Volumes should not be mounted in multiple containers", + "actualValue": "Volumes are being mounted in multiple containers, mode: rshared", + "issueType": "IncorrectValue" + }, + { + "queryName": "Volume Mounted In Multiple Containers", + "severity": "HIGH", + "line": 15, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.old8k.volumes.bind.propagation", + "searchValue": "", + "expectedValue": "Volumes should not be mounted in multiple containers", + "actualValue": "Volumes are being mounted in multiple containers, mode: shared", + "issueType": "IncorrectValue" + }, + { + "queryName": "Volume Mounted In Multiple Containers", + "severity": "HIGH", + "line": 15, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.old8k.volumes.bind.propagation", + "searchValue": "", + "expectedValue": "Volumes should not be mounted in multiple containers", + "actualValue": "Volumes are being mounted in multiple containers, mode: rslave", + "issueType": "IncorrectValue" + }, + { + "queryName": "Volume Mounted In Multiple Containers", + "severity": "HIGH", + "line": 15, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.old8k.volumes.bind.propagation", + "searchValue": "", + "expectedValue": "Volumes should not be mounted in multiple containers", + "actualValue": "Volumes are being mounted in multiple containers, mode: slave", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json b/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json index 7e9efb25dd7..7085fc2ce9e 100644 --- a/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json +++ b/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Add Instead of Copy", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{openjdk:10-jdk}}.{{ADD ${JAR_FILE} app.jar}}", + "searchValue": "", + "expectedValue": "'COPY' ${JAR_FILE}", + "actualValue": "'ADD' ${JAR_FILE}", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive_expected_result.json b/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive_expected_result.json index ab094181dbb..0cfa8811afb 100644 --- a/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Apk Add Using Local Cache Path", - "severity": "INFO", - "line": 2, - "fileName": "positive.dockerfile" - }, - { - "queryName": "Apk Add Using Local Cache Path", - "severity": "INFO", - "line": 2, - "fileName": "positive2.dockerfile" - } + { + "queryName": "Apk Add Using Local Cache Path", + "severity": "INFO", + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{gliderlabs/alpine:3.3}}.{{RUN apk add --update-cache python}}", + "searchValue": "", + "expectedValue": "'RUN' should not contain 'apk add' command without '--no-cache' switch", + "actualValue": "'RUN' contains 'apk add' command without '--no-cache' switch", + "issueType": "IncorrectValue" + }, + { + "queryName": "Apk Add Using Local Cache Path", + "severity": "INFO", + "line": 2, + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{gliderlabs/alpine:3.3}}.{{RUN apk add --update-cache python}}", + "searchValue": "", + "expectedValue": "'RUN' should not contain 'apk add' command without '--no-cache' switch", + "actualValue": "'RUN' contains 'apk add' command without '--no-cache' switch", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json index ab1370df2dd..f7522ad38f9 100644 --- a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", "line": 2, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox1}}.RUN={{apt-get update && apt-get install --no-install-recommends -y python}}", + "searchValue": "", + "expectedValue": "After using apt-get install, the apt-get lists should be deleted", + "actualValue": "After using apt-get install, the apt-get lists were not deleted", + "issueType": "IncorrectValue" }, { "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", "line": 5, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox2}}.RUN={{apt-get install python}}", + "searchValue": "", + "expectedValue": "After using apt-get install, the apt-get lists should be deleted", + "actualValue": "After using apt-get install, the apt-get lists were not deleted", + "issueType": "IncorrectValue" }, { "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", "line": 8, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install --no-install-recommends -y python}}", + "searchValue": "", + "expectedValue": "After using apt-get install, the apt-get lists should be deleted", + "actualValue": "After using apt-get install, the apt-get lists were not deleted", + "issueType": "IncorrectValue" }, { "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", "line": 12, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox4}}.RUN={{apt-get update && apt-get install --no-install-recommends -y python}}", + "searchValue": "", + "expectedValue": "After using apt-get install, the apt-get lists should be deleted", + "actualValue": "After using apt-get install, the apt-get lists were not deleted", + "issueType": "IncorrectValue" }, { "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", "line": 2, - "fileName": "positive2.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox5}}.RUN={{set -eux; \tapt-get update; \tapt-get install -y --no-install-recommends package=0.0.0}}", + "searchValue": "", + "expectedValue": "After using apt-get install, the apt-get lists should be deleted", + "actualValue": "After using apt-get install, the apt-get lists were not deleted", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json index f2afe4b4ae2..28afb15a410 100644 --- a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json @@ -3,96 +3,208 @@ "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 2, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox}}.RUN={{apt-get install python}}", + "searchValue": "python", + "expectedValue": "Package 'python' has version defined", + "actualValue": "Package 'python' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 3, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox}}.{{RUN [\"apt-get\", \"install\", \"python\"]}}", + "searchValue": "python", + "expectedValue": "Package 'python' has version defined", + "actualValue": "Package 'python' does not have version defined", + "issueType": "IncorrectValue" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 6, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox2}}.RUN={{apt-get install -y -t python}}", + "searchValue": "python", + "expectedValue": "Package 'python' has version defined", + "actualValue": "Package 'python' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-pip", + "expectedValue": "Package 'python-pip' has version defined", + "actualValue": "Package 'python-pip' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-qt4", + "expectedValue": "Package 'python-qt4' has version defined", + "actualValue": "Package 'python-qt4' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python3-pip", + "expectedValue": "Package 'python3-pip' has version defined", + "actualValue": "Package 'python3-pip' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python3-pyqt5", + "expectedValue": "Package 'python3-pyqt5' has version defined", + "actualValue": "Package 'python3-pyqt5' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-pyside", + "expectedValue": "Package 'python-pyside' has version defined", + "actualValue": "Package 'python-pyside' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 2, - "fileName": "positive2.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox4}}.RUN={{apt-get install python}}", + "searchValue": "python", + "expectedValue": "Package 'python' has version defined", + "actualValue": "Package 'python' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox4}}.{{RUN [\"apt-get\", \"install\", \"python\"]}}", + "searchValue": "python", + "expectedValue": "Package 'python' has version defined", + "actualValue": "Package 'python' does not have version defined", + "issueType": "IncorrectValue" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox5}}.RUN={{apt-get install -y -t python}}", + "searchValue": "python", + "expectedValue": "Package 'python' has version defined", + "actualValue": "Package 'python' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-pip", + "expectedValue": "Package 'python-pip' has version defined", + "actualValue": "Package 'python-pip' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-pyside", + "expectedValue": "Package 'python-pyside' has version defined", + "actualValue": "Package 'python-pyside' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-qt4", + "expectedValue": "Package 'python-qt4' has version defined", + "actualValue": "Package 'python-qt4' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python3-pyqt5", + "expectedValue": "Package 'python3-pyqt5' has version defined", + "actualValue": "Package 'python3-pyqt5' does not have version defined", + "issueType": "MissingAttribute" }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python3-pip", + "expectedValue": "Package 'python3-pip' has version defined", + "actualValue": "Package 'python3-pip' does not have version defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json index eb501cf7739..1299f262bed 100644 --- a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json @@ -3,90 +3,195 @@ "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, - "filename": "positive1.dockerfile" + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN apt-get install python=2.7}}", + "searchValue": "", + "expectedValue": "{{RUN apt-get install python=2.7}} should avoid manual input", + "actualValue": "{{RUN apt-get install python=2.7}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, - "filename": "positive1.dockerfile" + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN apt-get install apt-utils}}", + "searchValue": "", + "expectedValue": "{{RUN apt-get install apt-utils}} should avoid manual input", + "actualValue": "{{RUN apt-get install apt-utils}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 4, - "filename": "positive1.dockerfile" + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}}", + "searchValue": "", + "expectedValue": "{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}} should avoid manual input", + "actualValue": "{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, - "filename": "positive2.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get install python=2.7}}", + "searchValue": "", + "expectedValue": "{{RUN sudo apt-get install python=2.7}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get install python=2.7}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, - "filename": "positive2.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get install apt-utils}}", + "searchValue": "", + "expectedValue": "{{RUN sudo apt-get install apt-utils}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get install apt-utils}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 4, - "filename": "positive2.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"sudo\", \"apt-get\", \"install\", \"apt-utils\"]}}", + "searchValue": "", + "expectedValue": "{{RUN [\"sudo\", \"apt-get\", \"install\", \"apt-utils\"]}} should avoid manual input", + "actualValue": "{{RUN [\"sudo\", \"apt-get\", \"install\", \"apt-utils\"]}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, - "filename": "positive3.dockerfile" + "filename": "positive3.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN DUMMY=test apt-get install python=2.7}}", + "searchValue": "", + "expectedValue": "{{RUN DUMMY=test apt-get install python=2.7}} should avoid manual input", + "actualValue": "{{RUN DUMMY=test apt-get install python=2.7}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, - "filename": "positive4.dockerfile" + "filename": "positive4.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"sudo\", \"apt-get\", \"-q\" ,\"install\", \"apt-utils\"]}}", + "searchValue": "", + "expectedValue": "{{RUN [\"sudo\", \"apt-get\", \"-q\" ,\"install\", \"apt-utils\"]}} should avoid manual input", + "actualValue": "{{RUN [\"sudo\", \"apt-get\", \"-q\" ,\"install\", \"apt-utils\"]}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, - "filename": "positive4.dockerfile" + "filename": "positive4.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get -q install apt-utils}}", + "searchValue": "", + "expectedValue": "{{RUN sudo apt-get -q install apt-utils}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get -q install apt-utils}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, - { - "queryName": "APT-GET Missing Flags To Avoid Manual Input", - "severity": "LOW", - "line": 3, - "filename": "positive5.dockerfile" - }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, - "filename": "positive5.dockerfile" + "filename": "positive5.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"sudo\", \"apt-get\", \"--quiet\", \"install\", \"apt-utils\"] }}", + "searchValue": "", + "expectedValue": "{{RUN [\"sudo\", \"apt-get\", \"--quiet\", \"install\", \"apt-utils\"] }} should avoid manual input", + "actualValue": "{{RUN [\"sudo\", \"apt-get\", \"--quiet\", \"install\", \"apt-utils\"] }} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, - "filename": "positive6.dockerfile" - }, + "filename": "positive5.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get --quiet install apt-utils}}", + "searchValue": "", + "expectedValue": "{{RUN sudo apt-get --quiet install apt-utils}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get --quiet install apt-utils}} doesn't avoid manual input", + "issueType": "IncorrectValue" + }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, - "filename": "positive6.dockerfile" + "filename": "positive6.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get --quiet install sl}}", + "searchValue": "", + "expectedValue": "{{RUN sudo apt-get --quiet install sl}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get --quiet install sl}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, - "filename": "positive7.dockerfile" - }, + "filename": "positive6.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"--quiet\" ,\"install\", \"apt-utils\"] }}", + "searchValue": "", + "expectedValue": "{{RUN [\"apt-get\", \"--quiet\" ,\"install\", \"apt-utils\"] }} should avoid manual input", + "actualValue": "{{RUN [\"apt-get\", \"--quiet\" ,\"install\", \"apt-utils\"] }} doesn't avoid manual input", + "issueType": "IncorrectValue" + }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, - "filename": "positive7.dockerfile" + "filename": "positive7.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get -q install sl}}", + "searchValue": "", + "expectedValue": "{{RUN sudo apt-get -q install sl}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get -q install sl}} doesn't avoid manual input", + "issueType": "IncorrectValue" + }, + { + "queryName": "APT-GET Missing Flags To Avoid Manual Input", + "severity": "LOW", + "line": 3, + "filename": "positive7.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"-q\", \"install\", \"apt-utils\"] }}", + "searchValue": "", + "expectedValue": "{{RUN [\"apt-get\", \"-q\", \"install\", \"apt-utils\"] }} should avoid manual input", + "actualValue": "{{RUN [\"apt-get\", \"-q\", \"install\", \"apt-utils\"] }} doesn't avoid manual input", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json index 224923adbc5..448ff08f8a1 100644 --- a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ - { - "queryName": "APT-GET Not Avoiding Additional Packages", - "severity": "INFO", - "line": 2 - }, - { - "queryName": "APT-GET Not Avoiding Additional Packages", - "severity": "INFO", - "line": 3 - } + { + "queryName": "APT-GET Not Avoiding Additional Packages", + "severity": "INFO", + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN apt-get install apt-utils}}", + "searchValue": "", + "expectedValue": "'RUN apt-get install apt-utils' uses '--no-install-recommends' flag to avoid installing additional packages", + "actualValue": "'RUN apt-get install apt-utils' does not use '--no-install-recommends' flag to avoid installing additional packages", + "issueType": "IncorrectValue" + }, + { + "queryName": "APT-GET Not Avoiding Additional Packages", + "severity": "INFO", + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}}", + "searchValue": "", + "expectedValue": "'RUN [\"apt-get\", \"install\", \"apt-utils\"]' uses '--no-install-recommends' flag to avoid installing additional packages", + "actualValue": "'RUN [\"apt-get\", \"install\", \"apt-utils\"]' does not use '--no-install-recommends' flag to avoid installing additional packages", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive_expected_result.json b/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive_expected_result.json index c9854941220..1e630afe2f8 100644 --- a/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive_expected_result.json +++ b/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Changing Default Shell Using RUN Command", - "severity": "MEDIUM", - "line": 5, - "filename": "positive1.dockerfile" - }, - { - "queryName": "Changing Default Shell Using RUN Command", - "severity": "MEDIUM", - "line": 5, - "filename": "positive2.dockerfile" - } + { + "queryName": "Changing Default Shell Using RUN Command", + "severity": "MEDIUM", + "line": 5, + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{RUN ln -sfv /bin/bash /bin/sh}}", + "searchValue": "", + "expectedValue": "{{RUN ln -sfv /bin/bash /bin/sh}} should use the SHELL command to change the default shell", + "actualValue": "{{RUN ln -sfv /bin/bash /bin/sh}} uses the RUN command to change the default shell", + "issueType": "IncorrectValue" + }, + { + "queryName": "Changing Default Shell Using RUN Command", + "severity": "MEDIUM", + "line": 5, + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{RUN powershell -command}}", + "searchValue": "", + "expectedValue": "{{RUN powershell -command}} should use the SHELL command to change the default shell", + "actualValue": "{{RUN powershell -command}} uses the RUN command to change the default shell", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/dockerfile/chown_flag_exists/test/positive_expected_result.json b/assets/queries/dockerfile/chown_flag_exists/test/positive_expected_result.json index 41cc05a4a3d..b934c1b88f7 100644 --- a/assets/queries/dockerfile/chown_flag_exists/test/positive_expected_result.json +++ b/assets/queries/dockerfile/chown_flag_exists/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Chown Flag Exists", "severity": "LOW", - "line": 4 + "line": 4, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{python:3.7}}.{{COPY --chown=patrick:patrick app /app}}", + "searchValue": "", + "expectedValue": "The 'Dockerfile' shouldn´t contain the 'chown' flag", + "actualValue": "The 'Dockerfile' contains the 'chown' flag", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive_expected_result.json b/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive_expected_result.json index 0a577a86177..b5249f83750 100644 --- a/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive_expected_result.json +++ b/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "COPY '--from' References Current FROM Alias", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{myimage:tag as dep}}.{{COPY --from=dep /binary /}}", + "searchValue": "", + "expectedValue": "COPY --from should not reference the current FROM alias", + "actualValue": "COPY --from references the current FROM alias", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive_expected_result.json b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive_expected_result.json index 2774ad6013d..ee7168d1d79 100644 --- a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive_expected_result.json +++ b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive_expected_result.json @@ -2,7 +2,14 @@ { "queryName": "Copy With More Than Two Arguments Not Ending With Slash", "severity": "LOW", - "fileName": "positive.dockerfile", - "line": 2 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:carbon2}}.COPY={{package.json}}", + "searchValue": "", + "expectedValue": "When COPY command has more than two arguments, the last one should end with a slash", + "actualValue": "COPY command has more than two arguments and the last one does not end with a slash", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive_expected_result.json b/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive_expected_result.json index 914f34a3b1a..d4e80e825a9 100644 --- a/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive_expected_result.json +++ b/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Curl or Wget Instead of Add", "severity": "LOW", - "line": 3 + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{openjdk:10-jdk}}.{{ADD https://example.com/big.tar.xz /usr/src/things/}}", + "searchValue": "", + "expectedValue": "Should use 'curl' or 'wget' to download https://example.com/big.tar.xz", + "actualValue": "'ADD' https://example.com/big.tar.xz", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/dockerfile/exposing_port_22/test/positive_expected_result.json b/assets/queries/dockerfile/exposing_port_22/test/positive_expected_result.json index 7c697fbb3e4..fab7a292549 100644 --- a/assets/queries/dockerfile/exposing_port_22/test/positive_expected_result.json +++ b/assets/queries/dockerfile/exposing_port_22/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Exposing Port 22 (SSH)", "severity": "LOW", - "line": 3 + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{gliderlabs/alpine:3.3}}.{{EXPOSE 3000 80 443 22}}", + "searchValue": "", + "expectedValue": "'EXPOSE' shouldn't contain the port 22 ", + "actualValue": "'EXPOSE' contains the port 22 ", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json b/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json index 9e0dc193dc6..f88fdab63e9 100644 --- a/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Gem Install Without Version", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{RUN gem install bundler}}", + "searchValue": "", + "expectedValue": "RUN gem install bundler is 'gem install :'", + "actualValue": "RUN gem install bundler is 'gem install ', you should use 'gem install :", + "issueType": "IncorrectValue" }, { "queryName": "Gem Install Without Version", "severity": "MEDIUM", - "line": 4 + "line": 4, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{RUN [\"gem\", \"install\", \"blunder\"]}}", + "searchValue": "", + "expectedValue": "RUN [\"gem\", \"install\", \"blunder\"] is 'gem install :'", + "actualValue": "RUN [\"gem\", \"install\", \"blunder\"] is 'gem install ', you should use 'gem install :", + "issueType": "IncorrectValue" }, { "queryName": "Gem Install Without Version", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{RUN gem install grpc -v ${GRPC_RUBY_VERSION} blunder}}", + "searchValue": "", + "expectedValue": "RUN gem install grpc -v ${GRPC_RUBY_VERSION} blunder is 'gem install :'", + "actualValue": "RUN gem install grpc -v ${GRPC_RUBY_VERSION} blunder is 'gem install ', you should use 'gem install :", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json b/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json index 3fff0a3f2f4..78c0530155b 100644 --- a/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json +++ b/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Healthcheck Instruction Missing", - "severity": "LOW", - "line": 1, - "fileName": "positive.dockerfile" - }, - { - "queryName": "Healthcheck Instruction Missing", - "severity": "LOW", - "line": 7, - "fileName": "positive2.dockerfile" - } + { + "queryName": "Healthcheck Instruction Missing", + "severity": "LOW", + "line": 1, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:alpine}}", + "searchValue": "", + "expectedValue": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actualValue": "Dockerfile doesn't contain instruction 'HEALTHCHECK'", + "issueType": "MissingAttribute" + }, + { + "queryName": "Healthcheck Instruction Missing", + "severity": "LOW", + "line": 7, + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:latest }}", + "searchValue": "", + "expectedValue": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actualValue": "Dockerfile doesn't contain instruction 'HEALTHCHECK'", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json b/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json index a5cbb7933e2..ae90389ff41 100644 --- a/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json +++ b/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json @@ -1,38 +1,80 @@ [ - { - "queryName": "Image Version Not Explicit", - "severity": "MEDIUM", - "fileName": "positive1.dockerfile", - "line": 1 - }, - { - "queryName": "Image Version Not Explicit", - "severity": "MEDIUM", - "fileName": "positive2.dockerfile", - "line": 7 - }, - { - "queryName": "Image Version Not Explicit", - "severity": "MEDIUM", - "fileName": "positive3.dockerfile", - "line": 4 - }, - { - "queryName": "Image Version Not Explicit", - "severity": "MEDIUM", - "fileName": "positive3.dockerfile", - "line": 7 - }, - { - "queryName": "Image Version Not Explicit", - "severity": "MEDIUM", - "fileName": "positive4.dockerfile", - "line": 7 - }, - { - "queryName": "Image Version Not Explicit", - "severity": "MEDIUM", - "fileName": "positive4.dockerfile", - "line": 10 - } + { + "queryName": "Image Version Not Explicit", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine}}", + "searchValue": "", + "expectedValue": "FROM alpine:'version'", + "actualValue": "FROM alpine'", + "issueType": "MissingAttribute" + }, + { + "queryName": "Image Version Not Explicit", + "severity": "MEDIUM", + "line": 7, + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{construction AS final}}", + "searchValue": "", + "expectedValue": "FROM construction:'version'", + "actualValue": "FROM construction'", + "issueType": "MissingAttribute" + }, + { + "queryName": "Image Version Not Explicit", + "severity": "MEDIUM", + "line": 4, + "filename": "positive3.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{positive4 }}", + "searchValue": "", + "expectedValue": "FROM positive4:'version'", + "actualValue": "FROM positive4'", + "issueType": "MissingAttribute" + }, + { + "queryName": "Image Version Not Explicit", + "severity": "MEDIUM", + "line": 7, + "filename": "positive3.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{positive42}}", + "searchValue": "", + "expectedValue": "FROM positive42:'version'", + "actualValue": "FROM positive42'", + "issueType": "MissingAttribute" + }, + { + "queryName": "Image Version Not Explicit", + "severity": "MEDIUM", + "line": 7, + "filename": "positive4.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{test_fail_1}}", + "searchValue": "", + "expectedValue": "FROM test_fail_1:'version'", + "actualValue": "FROM test_fail_1'", + "issueType": "MissingAttribute" + }, + { + "queryName": "Image Version Not Explicit", + "severity": "MEDIUM", + "line": 10, + "filename": "positive4.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{test3 AS test_fail_2}}", + "searchValue": "", + "expectedValue": "FROM test3:'version'", + "actualValue": "FROM test3'", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/dockerfile/image_version_using_latest/test/positive_expected_result.json b/assets/queries/dockerfile/image_version_using_latest/test/positive_expected_result.json index 54fb27a0982..097b3f3e02d 100644 --- a/assets/queries/dockerfile/image_version_using_latest/test/positive_expected_result.json +++ b/assets/queries/dockerfile/image_version_using_latest/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "Image Version Using 'latest'", - "severity": "MEDIUM", - "line": 1 - } + { + "queryName": "Image Version Using 'latest'", + "severity": "MEDIUM", + "line": 1, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:latest}}", + "searchValue": "", + "expectedValue": "FROM alpine:latest:'version' where version should not be 'latest'", + "actualValue": "FROM alpine:latest'", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/dockerfile/last_user_is_root/test/positive_expected_result.json b/assets/queries/dockerfile/last_user_is_root/test/positive_expected_result.json index 751442ed373..e377fb693b1 100644 --- a/assets/queries/dockerfile/last_user_is_root/test/positive_expected_result.json +++ b/assets/queries/dockerfile/last_user_is_root/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Last User Is 'root'", "severity": "HIGH", - "line": 2 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:2.6}}.{{USER root}}", + "searchValue": "", + "expectedValue": "Last User shouldn't be root", + "actualValue": "Last User is root", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive_expected_result.json b/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive_expected_result.json index ae5d0a537f5..fa27642d14d 100644 --- a/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive_expected_result.json +++ b/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "MAINTAINER Instruction Being Used", - "severity": "LOW", - "line": 4 - } + { + "queryName": "MAINTAINER Instruction Being Used", + "severity": "LOW", + "line": 4, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.MAINTAINER={{\"SvenDowideit@home.org.au\"}}", + "searchValue": "", + "expectedValue": "Maintainer instruction being used in Label 'LABEL maintainer=\"SvenDowideit@home.org.au\"'", + "actualValue": "Maintainer instruction not being used in Label 'MAINTAINER \"SvenDowideit@home.org.au\"'", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/dockerfile/missing_dnf_clean_all/test/positive_expected_result.json b/assets/queries/dockerfile/missing_dnf_clean_all/test/positive_expected_result.json index 0c521996f67..ac58d253573 100644 --- a/assets/queries/dockerfile/missing_dnf_clean_all/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_dnf_clean_all/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Missing Dnf Clean All", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:27}}.RUN={{set -uex && dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && sed -i 's/\\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && dnf install -vy docker-ce}}", + "searchValue": "", + "expectedValue": "After installing a package with dnf, command 'dnf clean all' should run.", + "actualValue": "Command `dnf clean all` is not being run after installing packages.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json index 8ca30d102d6..03ce6b81d68 100644 --- a/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Missing Flag From Dnf Install", "severity": "LOW", "line": 2, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:27}}.RUN={{set -uex && dnf config-manager --set-enabled docker-ce-test && dnf install docker-ce && dnf clean all}}", + "searchValue": "dnf install docker-ce", + "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", + "actualValue": "Command `RUN={{dnf install docker-ce}}` doesn't have the `-y` or `--assumeyes` switch set", + "issueType": "IncorrectValue" }, { "queryName": "Missing Flag From Dnf Install", "severity": "LOW", "line": 10, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:28}}.RUN={{dnf in docker-ce}}", + "searchValue": "dnf in docker-ce", + "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", + "actualValue": "Command `RUN={{dnf in docker-ce}}` doesn't have the `-y` or `--assumeyes` switch set", + "issueType": "IncorrectValue" }, { "queryName": "Missing Flag From Dnf Install", "severity": "LOW", "line": 2, - "fileName": "positive2.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:27}}.RUN={{set -uex; dnf config-manager --set-enabled docker-ce-test; dnf install docker-ce; dnf clean all}}", + "searchValue": "set -uex; dnf config-manager --set-enabled docker-ce-test; dnf install docker-ce; dnf clean all", + "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", + "actualValue": "Command `RUN={{set -uex; dnf config-manager --set-enabled docker-ce-test; dnf install docker-ce; dnf clean all}}` doesn't have the `-y` or `--assumeyes` switch set", + "issueType": "IncorrectValue" }, { "queryName": "Missing Flag From Dnf Install", "severity": "LOW", "line": 10, - "fileName": "positive2.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:28}}.RUN={{dnf in docker-ce}}", + "searchValue": "dnf in docker-ce", + "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", + "actualValue": "Command `RUN={{dnf in docker-ce}}` doesn't have the `-y` or `--assumeyes` switch set", + "issueType": "IncorrectValue" }, { "queryName": "Missing Flag From Dnf Install", "severity": "LOW", "line": 2, - "fileName": "positive3.dockerfile" + "filename": "positive3.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:27}}.RUN={{microdnf install openssl-libs-1:1.1.1k-6.el8_5.x86_64 zlib-1.2.11-18.el8_5.x86_64 && microdnf clean all}}", + "searchValue": "microdnf install openssl-libs-1:1.1.1k-6.el8_5.x86_64 zlib-1.2.11-18.el8_5.x86_64", + "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", + "actualValue": "Command `RUN={{microdnf install openssl-libs-1:1.1.1k-6.el8_5.x86_64 zlib-1.2.11-18.el8_5.x86_64}}` doesn't have the `-y` or `--assumeyes` switch set", + "issueType": "IncorrectValue" }, { "queryName": "Missing Flag From Dnf Install", "severity": "LOW", "line": 21, - "fileName": "positive4.dockerfile" + "filename": "positive4.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{${BASE_CONTAINER_REGISTRY:-mcr.microsoft.com}/azure-cli AS installer}}.RUN={{tdnf install jq tar libicu python3-requests python3-yaml}}", + "searchValue": "tdnf install jq tar libicu python3-requests python3-yaml", + "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", + "actualValue": "Command `RUN={{tdnf install jq tar libicu python3-requests python3-yaml}}` doesn't have the `-y` or `--assumeyes` switch set", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json b/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json index 8a0833e1de1..785c0f99182 100644 --- a/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Missing User Instruction", - "severity": "HIGH", - "line": 1, - "fileName": "positive.dockerfile" - }, - { - "queryName": "Missing User Instruction", - "severity": "HIGH", - "line": 7, - "fileName": "positive2.dockerfile" - } + { + "queryName": "Missing User Instruction", + "severity": "HIGH", + "line": 1, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{python:2.7}}", + "searchValue": "", + "expectedValue": "The 'Dockerfile' should contain the 'USER' instruction", + "actualValue": "The 'Dockerfile' does not contain any 'USER' instruction", + "issueType": "MissingAttribute" + }, + { + "queryName": "Missing User Instruction", + "severity": "HIGH", + "line": 7, + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:latest }}", + "searchValue": "", + "expectedValue": "The 'Dockerfile' should contain the 'USER' instruction", + "actualValue": "The 'Dockerfile' does not contain any 'USER' instruction", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json index 53dca70b9fb..73294cdce5c 100644 --- a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Missing Version Specification In dnf install", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:latest}}.{{RUN dnf -y update && dnf -y install httpd && dnf clean all}}", + "searchValue": "", + "expectedValue": "Package version should be specified when using 'dnf install'", + "actualValue": "Package version should be pinned when running ´dnf install´", + "issueType": "IncorrectValue" }, { "queryName": "Missing Version Specification In dnf install", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:latest}}.{{RUN [\"dnf\", \"install\", \"httpd\"]}}", + "searchValue": "", + "expectedValue": "Package version should be specified when using 'dnf install'", + "actualValue": "Package version should be pinned when running ´dnf install´", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/dockerfile/missing_zypper_clean/test/positive_expected_result.json b/assets/queries/dockerfile/missing_zypper_clean/test/positive_expected_result.json index 5570f022802..5e04d5e79fe 100644 --- a/assets/queries/dockerfile/missing_zypper_clean/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_zypper_clean/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Missing Zypper Clean", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox:1.0}}.{{RUN zypper install}}", + "searchValue": "", + "expectedValue": "There should be a zypper clean after a zypper usage", + "actualValue": "The command 'zypper install' does not have a zypper clean after it", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive_expected_result.json b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive_expected_result.json index fa3f05610c9..230a507ca26 100644 --- a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "Missing Zypper Non-interactive Switch", - "severity": "MEDIUM", - "line": 2 - } + { + "queryName": "Missing Zypper Non-interactive Switch", + "severity": "MEDIUM", + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox:1.0}}.{{RUN zypper install httpd && zypper clean}}", + "searchValue": "", + "expectedValue": "zypper usages should have the non-interactive switch activated", + "actualValue": "The command 'RUN zypper install httpd && zypper clean' does not have the non-interactive switch activated (-y | --no-confirm)", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive_expected_result.json b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive_expected_result.json index 5110e6420af..869c126fc1d 100644 --- a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive_expected_result.json +++ b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Multiple CMD Instructions Listed", "severity": "LOW", "line": 11, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:latest }}.{{CMD [\"./app\"] }}", + "searchValue": "", + "expectedValue": "There should be only one CMD instruction", + "actualValue": "There are 2 CMD instructions", + "issueType": "RedundantAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive_expected_result.json b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive_expected_result.json index c1c67a870ea..9f42ee34840 100644 --- a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive_expected_result.json +++ b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Multiple ENTRYPOINT Instructions Listed", "severity": "LOW", "line": 11, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:latest }}.{{ENTRYPOINT [ \"/opt/app/run.sh\", \"--port\", \"8080\" ]}}", + "searchValue": "", + "expectedValue": "There should be only one ENTRYPOINT instruction", + "actualValue": "There are 2 ENTRYPOINT instructions", + "issueType": "RedundantAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json index 7474b74c429..7ae705bdf8d 100644 --- a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json +++ b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Multiple RUN, ADD, COPY, Instructions Listed", "severity": "LOW", "line": 2, - "fileName": "positive1.dockerfile" + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{ubuntu}}.{{RUN apt-get install -y wget}}", + "searchValue": "", + "expectedValue": "There isn´t any RUN instruction that could be grouped", + "actualValue": "There are RUN instructions that could be grouped", + "issueType": "RedundantAttribute" }, { "queryName": "Multiple RUN, ADD, COPY, Instructions Listed", "severity": "LOW", "line": 2, - "fileName": "positive2.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{ubuntu}}.{{COPY README.md ./}}", + "searchValue": "", + "expectedValue": "There isn´t any COPY instruction that could be grouped", + "actualValue": "There are COPY instructions that could be grouped", + "issueType": "RedundantAttribute" }, { "queryName": "Multiple RUN, ADD, COPY, Instructions Listed", "severity": "LOW", "line": 2, - "fileName": "positive3.dockerfile" + "filename": "positive3.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{ubuntu}}.{{ADD cairo.spec /rpmbuild/SOURCES}}", + "searchValue": "", + "expectedValue": "There isn´t any ADD instruction that could be grouped", + "actualValue": "There are ADD instructions that could be grouped", + "issueType": "RedundantAttribute" } ] diff --git a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive_expected_result.json b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive_expected_result.json index 779bfea3ef6..35627cab296 100644 --- a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive_expected_result.json +++ b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ - { - "queryName": "Not Using JSON In CMD And ENTRYPOINT Arguments", - "severity": "MEDIUM", - "line": 10 - }, - { - "queryName": "Not Using JSON In CMD And ENTRYPOINT Arguments", - "severity": "MEDIUM", - "line": 11 - } + { + "queryName": "Not Using JSON In CMD And ENTRYPOINT Arguments", + "severity": "MEDIUM", + "line": 10, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{CMD [python, /usr/src/app/app.py] }}", + "searchValue": "", + "expectedValue": "{{CMD [python, /usr/src/app/app.py] }} should be in the JSON Notation", + "actualValue": "{{CMD [python, /usr/src/app/app.py] }} isn't in JSON Notation", + "issueType": "IncorrectValue" + }, + { + "queryName": "Not Using JSON In CMD And ENTRYPOINT Arguments", + "severity": "MEDIUM", + "line": 11, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{ENTRYPOINT [top, -b]}}", + "searchValue": "", + "expectedValue": "{{ENTRYPOINT [top, -b]}} should be in the JSON Notation", + "actualValue": "{{ENTRYPOINT [top, -b]}} isn't in JSON Notation", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json b/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json index ec6862cd11b..c651cc8fe21 100644 --- a/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", "line": 2, - "filename": "positive1.dockerfile" + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN npm install sax}}", + "searchValue": "", + "expectedValue": "'RUN npm install sax' uses npm install with a pinned version", + "actualValue": "'RUN npm install sax' does not uses npm install with a pinned version", + "issueType": "IncorrectValue" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", "line": 3, - "filename": "positive1.dockerfile" + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN npm install sax --no-cache}}", + "searchValue": "", + "expectedValue": "'RUN npm install sax --no-cache' uses npm install with a pinned version", + "actualValue": "'RUN npm install sax --no-cache' does not uses npm install with a pinned version", + "issueType": "IncorrectValue" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", "line": 4, - "filename": "positive1.dockerfile" + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN npm install sax | grep fail && npm install sax@latest}}", + "searchValue": "", + "expectedValue": "'RUN npm install sax | grep fail && npm install sax@latest' uses npm install with a pinned version", + "actualValue": "'RUN npm install sax | grep fail && npm install sax@latest' does not uses npm install with a pinned version", + "issueType": "IncorrectValue" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", "line": 5, - "filename": "positive1.dockerfile" + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN npm install sax@latest | grep fail && npm install sax}}", + "searchValue": "", + "expectedValue": "'RUN npm install sax@latest | grep fail && npm install sax' uses npm install with a pinned version", + "actualValue": "'RUN npm install sax@latest | grep fail && npm install sax' does not uses npm install with a pinned version", + "issueType": "IncorrectValue" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", "line": 6, - "filename": "positive1.dockerfile" + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN npm install sax | grep fail && npm install sax}}", + "searchValue": "", + "expectedValue": "'RUN npm install sax | grep fail && npm install sax' uses npm install with a pinned version", + "actualValue": "'RUN npm install sax | grep fail && npm install sax' does not uses npm install with a pinned version", + "issueType": "IncorrectValue" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", "line": 7, - "filename": "positive1.dockerfile" + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN npm i -g @angular/cli}}", + "searchValue": "", + "expectedValue": "'RUN npm i -g @angular/cli' uses npm install with a pinned version", + "actualValue": "'RUN npm i -g @angular/cli' does not uses npm install with a pinned version", + "issueType": "IncorrectValue" }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", "line": 8, - "filename": "positive1.dockerfile" + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"npm\",\"add\",\"sax\"]}}", + "searchValue": "", + "expectedValue": "'RUN [\"npm\",\"add\",\"sax\"]' uses npm install with a pinned version", + "actualValue": "'RUN [\"npm\",\"add\",\"sax\"]' does not uses npm install with a pinned version", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json b/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json index 727c06aeff6..5f8421f8e88 100644 --- a/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json +++ b/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "Pip install Keeping Cached Packages", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{python:3}}.{{pip install --upgrade pip && pip install nibabel pydicom matplotlib pillow && pip install med2image}}", + "searchValue": "", + "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", + "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'", + "issueType": "IncorrectValue" }, { "queryName": "Pip install Keeping Cached Packages", "severity": "LOW", - "line": 8 + "line": 8, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{python:3.1}}.{{pip install --upgrade pip}}", + "searchValue": "", + "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", + "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'", + "issueType": "IncorrectValue" }, { "queryName": "Pip install Keeping Cached Packages", "severity": "LOW", - "line": 9 + "line": 9, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{python:3.1}}.{{python -m pip install nibabel pydicom matplotlib pillow}}", + "searchValue": "", + "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", + "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'", + "issueType": "IncorrectValue" }, { "queryName": "Pip install Keeping Cached Packages", "severity": "LOW", - "line": 10 + "line": 10, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{python:3.1}}.{{pip3 install requests=2.7.0}}", + "searchValue": "", + "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", + "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'", + "issueType": "IncorrectValue" }, { "queryName": "Pip install Keeping Cached Packages", "severity": "LOW", - "line": 11 + "line": 11, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{python:3.1}}.{{RUN [\"pip3\", \"install\", \"requests=2.7.0\"]}}", + "searchValue": "", + "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", + "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json index 4cba6c72f3f..0c60624072b 100644 --- a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", "severity": "LOW", "line": 3, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{nginx}}.RUN={{cd /../share/nginx/html}}", + "searchValue": "", + "expectedValue": "Using WORKDIR to change directory", + "actualValue": "RUN cd /../share/nginx/html'", + "issueType": "IncorrectValue" }, { "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", "severity": "LOW", "line": 9, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{nginx}}.RUN={{cd ../share/nginx/html}}", + "searchValue": "", + "expectedValue": "Using WORKDIR to change directory", + "actualValue": "RUN cd ../share/nginx/html'", + "issueType": "IncorrectValue" }, { "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", "severity": "LOW", "line": 15, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{nginx}}.RUN={{cd /usr/../share/nginx/html}}", + "searchValue": "", + "expectedValue": "Using WORKDIR to change directory", + "actualValue": "RUN cd /usr/../share/nginx/html'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/run_using_apt/test/positive_expected_result.json b/assets/queries/dockerfile/run_using_apt/test/positive_expected_result.json index c6a5e011847..6defb236b76 100644 --- a/assets/queries/dockerfile/run_using_apt/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_using_apt/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Run Using apt", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox:1.0}}.{{RUN apt install curl}}", + "searchValue": "", + "expectedValue": "RUN instructions should not use the 'apt' program", + "actualValue": "RUN instruction is invoking the 'apt' program", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/run_using_sudo/test/positive_expected_result.json b/assets/queries/dockerfile/run_using_sudo/test/positive_expected_result.json index 581fa52051a..d09c622b0cc 100644 --- a/assets/queries/dockerfile/run_using_sudo/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_using_sudo/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Run Using Sudo", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.RUN={{sudo pip install --upgrade pip}}", + "searchValue": "", + "expectedValue": "RUN instruction shouldn't contain sudo", + "actualValue": "RUN instruction contains sudo", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json b/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json index 82340b752d6..7fa351280dc 100644 --- a/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Run Using 'wget' and 'curl'", "severity": "LOW", - "line": 3 + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{debian}}.{{RUN curl http://bing.com}}", + "searchValue": "", + "expectedValue": "Exclusively using 'wget' or 'curl'", + "actualValue": "Using both 'wget' and 'curl'", + "issueType": "RedundantAttribute" }, { "queryName": "Run Using 'wget' and 'curl'", "severity": "LOW", - "line": 7 + "line": 7, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{baseImage}}.{{RUN curl http://bing.com}}", + "searchValue": "", + "expectedValue": "Exclusively using 'wget' or 'curl'", + "actualValue": "Using both 'wget' and 'curl'", + "issueType": "RedundantAttribute" }, { "queryName": "Run Using 'wget' and 'curl'", "severity": "LOW", - "line": 8 + "line": 8, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{baseImage}}.{{RUN [\"curl\", \"http://bing.com\"]}}", + "searchValue": "", + "expectedValue": "Exclusively using 'wget' or 'curl'", + "actualValue": "Using both 'wget' and 'curl'", + "issueType": "RedundantAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json b/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json index 9f366ada36a..8b9ca535e0e 100644 --- a/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Run Utilities And POSIX Commands", "severity": "INFO", - "line": 4 + "line": 4, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{golang:1.12.0-stretch}}.{{RUN top}}", + "searchValue": "", + "expectedValue": "There should be no dangerous commands or utilities executed", + "actualValue": "Run instruction is executing the top command", + "issueType": "IncorrectValue" }, { "queryName": "Run Utilities And POSIX Commands", "severity": "INFO", - "line": 5 + "line": 5, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{golang:1.12.0-stretch}}.{{RUN [\"ps\", \"-d\"]}}", + "searchValue": "", + "expectedValue": "There should be no dangerous commands or utilities executed", + "actualValue": "Run instruction is executing the ps command", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json b/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json index 9e65369181b..56e924736d0 100644 --- a/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json +++ b/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Same Alias In Different Froms", "severity": "LOW", - "line": 4 + "line": 4, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{build}}", + "searchValue": "", + "expectedValue": "Different FROM commands don't have the same alias defined", + "actualValue": "Different FROM commands with with the same alias 'build' defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json index 66769b07386..b8d98368725 100644 --- a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json +++ b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Shell Running A Pipe Without Pipefail Flag", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN zsh ./some_output | ./some_script}}", + "searchValue": "zsh", + "expectedValue": "'RUN zsh ./some_output | ./some_script' has pipefail option set for pipe command with shell zsh.", + "actualValue": "'RUN zsh ./some_output | ./some_script' does not have pipefail option set for pipe command with shell zsh.", + "issueType": "MissingAttribute" }, { "queryName": "Shell Running A Pipe Without Pipefail Flag", "severity": "LOW", - "line": 3 + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [ \"/bin/bash\", \"./some_output\", \"|\", \"./some_script\" ]}}", + "searchValue": "/bin/bash", + "expectedValue": "'RUN [ '/bin/bash', './some_output', '|', './some_script' ]' has pipefail option set for pipe command with shell /bin/bash.", + "actualValue": "'RUN [ '/bin/bash', './some_output', '|', './some_script' ]' does not have pipefail option set for pipe command with shell /bin/bash.", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/unix_ports_out_of_range/test/positive_expected_result.json b/assets/queries/dockerfile/unix_ports_out_of_range/test/positive_expected_result.json index 5d57ac73d0c..05170343f09 100644 --- a/assets/queries/dockerfile/unix_ports_out_of_range/test/positive_expected_result.json +++ b/assets/queries/dockerfile/unix_ports_out_of_range/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "UNIX Ports Out Of Range", "severity": "INFO", - "line": 3 + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{gliderlabs/alpine:3.3}}.{{EXPOSE 65536/tcp 80 443 22}}", + "searchValue": "", + "expectedValue": "'EXPOSE' should not contain ports out of range [0, 65535]", + "actualValue": "'EXPOSE' contains ports out of range [0, 65535]", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json index 9f377d63c28..facbf34123c 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json +++ b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "Unpinned Package Version in Apk Add", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.9}}.{{RUN apk add --update py-pip}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", + "actualValue": "RUN instruction apk add --update py-pip does not use package pinning form", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version in Apk Add", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.7}}.{{RUN apk add py-pip && apk add tea}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", + "actualValue": "RUN instruction apk add py-pip && apk add tea does not use package pinning form", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version in Apk Add", "severity": "MEDIUM", - "line": 14 + "line": 14, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.7}}.{{RUN apk add py-pip && rm -rf /tmp/*}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", + "actualValue": "RUN instruction apk add py-pip && rm -rf /tmp/* does not use package pinning form", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version in Apk Add", "severity": "MEDIUM", - "line": 16 + "line": 16, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.7}}.{{RUN apk add --dir /dir libimagequant && minidlna}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", + "actualValue": "RUN instruction apk add --dir /dir libimagequant && minidlna does not use package pinning form", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version in Apk Add", "severity": "MEDIUM", - "line": 18 + "line": 18, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.7}}.{{RUN [\"apk\", \"add\", \"py-pip\"]}}", + "searchValue": "py-pip", + "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", + "actualValue": "RUN instruction py-pip does not use package pinning form", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json index 4ffe50570bf..ad45b094ca2 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json +++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Unpinned Package Version in Pip Install", "severity": "MEDIUM", "line": 3, - "filename": "positive1.dockerfile" + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.9}}.{{RUN pip install --user pip}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", + "actualValue": "RUN instruction pip install --user pip does not use package pinning form", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version in Pip Install", "severity": "MEDIUM", "line": 4, - "filename": "positive1.dockerfile" + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.9}}.{{RUN [\"pip\", \"install\", \"connexion\"]}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", + "actualValue": "RUN instruction connexion does not use package pinning form", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version in Pip Install", "severity": "MEDIUM", "line": 15, - "filename": "positive1.dockerfile" + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.7}}.{{RUN pip install connexion}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", + "actualValue": "RUN instruction pip install connexion does not use package pinning form", + "issueType": "IncorrectValue" }, { "queryName": "Unpinned Package Version in Pip Install", "severity": "MEDIUM", "line": 18, - "filename": "positive1.dockerfile" + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.7}}.{{RUN pip3 install requests}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", + "actualValue": "RUN instruction pip3 install requests does not use package pinning form", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json b/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json index 64b7e65cd1f..1fd2b45e20b 100644 --- a/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json +++ b/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "fileName": "positive1.dockerfile" + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:latest}}.RUN={{apk add nginx}}", + "searchValue": "", + "expectedValue": "Instruction 'RUN apk [\"add\"]' should be combined with 'RUN apk [\"update\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN apk [\"add\"]' isn't combined with 'RUN apk [\"update\"] in the same 'RUN' statement", + "issueType": "IncorrectValue" }, { "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "fileName": "positive2.dockerfile" + "filename": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{opensuse:latest}}.RUN={{zypper install nginx}}", + "searchValue": "", + "expectedValue": "Instruction 'RUN zypper [\"install\"]' should be combined with 'RUN zypper [\"refresh\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN zypper [\"install\"]' isn't combined with 'RUN zypper [\"refresh\"] in the same 'RUN' statement", + "issueType": "IncorrectValue" }, { "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "fileName": "positive3.dockerfile" + "filename": "positive3.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{debian:latest}}.RUN={{apt install nginx}}", + "searchValue": "", + "expectedValue": "Instruction 'RUN apt [\"install\"]' should be combined with 'RUN apt [\"update\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN apt [\"install\"]' isn't combined with 'RUN apt [\"update\"] in the same 'RUN' statement", + "issueType": "IncorrectValue" }, { "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "fileName": "positive4.dockerfile" + "filename": "positive4.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{centos:latest}}.RUN={{yum install nginx}}", + "searchValue": "", + "expectedValue": "Instruction 'RUN yum [\"install\"]' should be combined with 'RUN yum [\"update\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN yum [\"install\"]' isn't combined with 'RUN yum [\"update\"] in the same 'RUN' statement", + "issueType": "IncorrectValue" }, { "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "fileName": "positive5.dockerfile" + "filename": "positive5.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:latest}}.RUN={{dnf install nginx}}", + "searchValue": "", + "expectedValue": "Instruction 'RUN dnf [\"install\"]' should be combined with 'RUN dnf [\"update\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN dnf [\"install\"]' isn't combined with 'RUN dnf [\"update\"] in the same 'RUN' statement", + "issueType": "IncorrectValue" }, { "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "fileName": "positive6.dockerfile" + "filename": "positive6.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{archlinux:latest}}.RUN={{pacman -S nginx}}", + "searchValue": "", + "expectedValue": "Instruction 'RUN pacman [\"-S\"]' should be combined with 'RUN pacman [\"-Syu\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN pacman [\"-S\"]' isn't combined with 'RUN pacman [\"-Syu\"] in the same 'RUN' statement", + "issueType": "IncorrectValue" }, { "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "fileName": "positive7.dockerfile" + "filename": "positive7.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{ubuntu:18.04}}.RUN={{apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/*}}", + "searchValue": "", + "expectedValue": "Instruction 'RUN apt-get [\"install\", \"source-install\", \"reinstall\"]' should be combined with 'RUN apt-get [\"update\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN apt-get [\"install\", \"source-install\", \"reinstall\"]' isn't combined with 'RUN apt-get [\"update\"] in the same 'RUN' statement", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json b/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json index 17bce5638c8..850cd425ec2 100644 --- a/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json +++ b/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Using Platform Flag with FROM Command", "severity": "INFO", "line": 6, - "fileName": "positive1.dockerfile" + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{--platform=arm64 baseimage as baseimage-build}}.{{FROM --platform=arm64 baseimage as baseimage-build}}", + "searchValue": "", + "expectedValue": "FROM={{--platform=arm64 baseimage as baseimage-build}}.{{FROM --platform=arm64 baseimage as baseimage-build}} should not use the '--platform' flag", + "actualValue": "FROM={{--platform=arm64 baseimage as baseimage-build}}.{{FROM --platform=arm64 baseimage as baseimage-build}} is using the '--platform' flag", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/using_unnamed_build_stages/test/positive_expected_result.json b/assets/queries/dockerfile/using_unnamed_build_stages/test/positive_expected_result.json index d0e9eb1f3db..2090276787a 100644 --- a/assets/queries/dockerfile/using_unnamed_build_stages/test/positive_expected_result.json +++ b/assets/queries/dockerfile/using_unnamed_build_stages/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Using Unnamed Build Stages", - "severity": "LOW", - "line": 10, - "filename": "positive1.dockerfile" - } + { + "queryName": "Using Unnamed Build Stages", + "severity": "LOW", + "line": 10, + "filename": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:latest }}.{{COPY --from=0 /go/src/github.com/foo/href-counter/app ./}}", + "searchValue": "", + "expectedValue": "COPY '--from' should reference a previously defined FROM alias", + "actualValue": "COPY '--from' does not reference a previously defined FROM alias", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/dockerfile/workdir_path_not_absolute/test/positive_expected_result.json b/assets/queries/dockerfile/workdir_path_not_absolute/test/positive_expected_result.json index ece07faaf7f..45a6fd96292 100644 --- a/assets/queries/dockerfile/workdir_path_not_absolute/test/positive_expected_result.json +++ b/assets/queries/dockerfile/workdir_path_not_absolute/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "WORKDIR Path Not Absolute", "severity": "LOW", - "line": 5 + "line": 5, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.WORKDIR={{workdir}}", + "searchValue": "", + "expectedValue": "'WORKDIR' Command has absolute path", + "actualValue": "'WORKDIR' Command doesn't have absolute path", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/yum_clean_all_missing/test/positive_expected_result.json b/assets/queries/dockerfile/yum_clean_all_missing/test/positive_expected_result.json index f4e28bb33cf..7cfc60ad5a2 100644 --- a/assets/queries/dockerfile/yum_clean_all_missing/test/positive_expected_result.json +++ b/assets/queries/dockerfile/yum_clean_all_missing/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Yum Clean All Missing", "severity": "LOW", "line": 12, - "fileName": "positive.dockerfile" + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.4}}.{{RUN yum clean all yum -y install}}", + "searchValue": "", + "expectedValue": "{{RUN yum clean all yum -y install}} should have 'yum clean all' after 'yum install' command", + "actualValue": "{{RUN yum clean all yum -y install}} doesn't have 'yum clean all' after 'yum install' command", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json b/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json index c6fa582d3aa..1fe16d58499 100644 --- a/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json +++ b/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Yum Install Allows Manual Input", "severity": "LOW", - "line": 3 + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{RUN sudo yum install bundler}}", + "searchValue": "", + "expectedValue": "{{RUN sudo yum install bundler}} should avoid manual input", + "actualValue": "{{RUN sudo yum install bundler}} doesn't avoid manual input", + "issueType": "IncorrectValue" }, { "queryName": "Yum Install Allows Manual Input", "severity": "LOW", - "line": 4 + "line": 4, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{RUN [\"sudo yum\", \"install\", \"bundler\"]}}", + "searchValue": "", + "expectedValue": "{{RUN [\"sudo yum\", \"install\", \"bundler\"]}} should avoid manual input", + "actualValue": "{{RUN [\"sudo yum\", \"install\", \"bundler\"]}} doesn't avoid manual input", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json b/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json index 2ed431a5849..a56c2d6bf52 100644 --- a/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Yum install Without Version", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{opensuse/leap:15.2}}.{{RUN yum install -y httpd && yum clean all}}", + "searchValue": "httpd", + "expectedValue": "The package version should always be specified when using yum install", + "actualValue": "No version is specified in package 'httpd'", + "issueType": "IncorrectValue" }, { "queryName": "Yum install Without Version", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{opensuse/leap:15.2}}.{{RUN [\"yum\", \"install\", \"httpd\"]}}", + "searchValue": "httpd", + "expectedValue": "The package version should always be specified when using yum install", + "actualValue": "No version is specified in package 'httpd'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/dockerfile/zypper_install_without_version/test/positive_expected_result.json b/assets/queries/dockerfile/zypper_install_without_version/test/positive_expected_result.json index 7d64d6a1109..1d78bb3d3f0 100644 --- a/assets/queries/dockerfile/zypper_install_without_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/zypper_install_without_version/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Zypper Install Without Version", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{opensuse/leap:15.2}}.{{RUN zypper install -y httpd && zypper clean}}", + "searchValue": "httpd", + "expectedValue": "The package version should always be specified when using zypper install", + "actualValue": "No version is specified in package 'httpd'", + "issueType": "IncorrectValue" }, { "queryName": "Zypper Install Without Version", "severity": "LOW", - "line": 3 + "line": 3, + "filename": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{opensuse/leap:15.2}}.{{RUN [\"zypper\", \"install\", \"http\"]}}", + "searchValue": "http", + "expectedValue": "The package version should always be specified when using zypper install", + "actualValue": "No version is specified in package 'http'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/test/positive_expected_result.json index 588bf368806..85f11c17a2e 100644 --- a/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "BigQuery Dataset Is Public", "severity": "HIGH", "line": 7, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "bigquery.v2.dataset", + "resourceName": "bigquery", + "searchKey": "resources.name={{bigquery}}.properties.access[0].specialGroup", + "searchValue": "", + "expectedValue": "'access[0].specialGroup' should not equal to 'allAuthenticatedUsers'", + "actualValue": "'access[0].specialGroup' is equal to 'allAuthenticatedUsers'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/test/positive_expected_result.json index 6bf204bca1f..98182c6e640 100644 --- a/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Bucket Without Versioning", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "bucket", + "searchKey": "resources.name={{bucket}}.properties", + "searchValue": "", + "expectedValue": "'versioning' should be defined and not null", + "actualValue": "'versioning' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Bucket Without Versioning", "severity": "MEDIUM", "line": 7, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "bucket", + "searchKey": "resources.name={{bucket}}.properties.versioning.enabled", + "searchValue": "", + "expectedValue": "'versioning.enabled' should be true", + "actualValue": "'versioning.enabled' is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/test/positive_expected_result.json index 52d56a7fb6c..eb467c30819 100644 --- a/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Client Certificate Disabled", "severity": "HIGH", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "", + "expectedValue": "'masterAuth' should be defined and not null", + "actualValue": "'masterAuth' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Client Certificate Disabled", "severity": "HIGH", "line": 6, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.masterAuth", + "searchValue": "", + "expectedValue": "'masterAuth.clientCertificateConfig' should be defined and not null", + "actualValue": "'masterAuth.clientCertificateConfig' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Client Certificate Disabled", "severity": "HIGH", "line": 8, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.masterAuth.clientCertificateConfig.issueClientCertificate", + "searchValue": "", + "expectedValue": "'masterAuth.clientCertificateConfig.issueClientCertificate' should be true", + "actualValue": "'masterAuth.clientCertificateConfig.issueClientCertificate' is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json index 0cc01b954eb..519ac620978 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Cloud DNS Without DNSSEC", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "dns.v1.managedZone", + "resourceName": "dns", + "searchKey": "resources.name={{dns}}.properties", + "searchValue": "", + "expectedValue": "'dnssecConfig' should be defined and not null", + "actualValue": "'dnssecConfig' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Cloud DNS Without DNSSEC", "severity": "MEDIUM", "line": 6, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "dns.v1.managedZone", + "resourceName": "dns2", + "searchKey": "resources.name={{dns2}}.properties.dnssecConfig", + "searchValue": "", + "expectedValue": "'state' should be defined and not null", + "actualValue": "'state' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Cloud DNS Without DNSSEC", "severity": "MEDIUM", "line": 7, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "dns.v1.managedZone", + "resourceName": "dns3", + "searchKey": "resources.name={{dns3}}.properties.dnssecConfig.state", + "searchValue": "", + "expectedValue": "'state' should be set to 'on'", + "actualValue": "'state' is not set to 'on'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json index bd96fd1b8e3..8b7072d9f37 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "storage-bucket", + "searchKey": "resources.name={{storage-bucket}}.properties", + "searchValue": "acl", + "expectedValue": "'acl' should be defined", + "actualValue": "'acl' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "storage-bucket", + "searchKey": "resources.name={{storage-bucket}}.properties", + "searchValue": "defaultObjectAcl", + "expectedValue": "'defaultObjectAcl' should be defined", + "actualValue": "'defaultObjectAcl' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 7, - "filename": "positive2.yaml" + "line": 4, + "filename": "positive2.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "storage-bucket", + "searchKey": "resources.name={{storage-bucket}}.properties", + "searchValue": "acl", + "expectedValue": "'acl' should be defined", + "actualValue": "'acl' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 4, - "filename": "positive2.yaml" + "line": 7, + "filename": "positive2.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "storage-bucket", + "searchKey": "resources.name={{storage-bucket}}.properties.defaultObjectAcl[0].entity", + "searchValue": "", + "expectedValue": "properties.defaultObjectAcl[0].entity should not equal to 'allUsers' or 'AllAuthenticatedUsers'", + "actualValue": "properties.defaultObjectAcl[0].entity is equal to 'allUsers' or 'AllAuthenticatedUsers'", + "issueType": "IncorrectValue" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", "line": 7, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "storage-bucket", + "searchKey": "resources.name={{storage-bucket}}.properties.acl[0].entity", + "searchValue": "", + "expectedValue": "properties.acl[0].entity should not equal to 'allUsers' or 'AllAuthenticatedUsers'", + "actualValue": "properties.acl[0].entity is equal to 'allUsers' or 'AllAuthenticatedUsers'", + "issueType": "IncorrectValue" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "storage-bucket", + "searchKey": "resources.name={{storage-bucket}}.properties.defaultObjectAcl[0].entity", + "searchValue": "", + "expectedValue": "properties.defaultObjectAcl[0].entity should not equal to 'allUsers' or 'AllAuthenticatedUsers'", + "actualValue": "properties.defaultObjectAcl[0].entity is equal to 'allUsers' or 'AllAuthenticatedUsers'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json index d42c2587d0d..a6ecc906fe1 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Cloud Storage Bucket Is Publicly Accessible", "severity": "MEDIUM", "line": 5, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "storage.v1.bucketAccessControl", + "resourceName": "bucket-access-control", + "searchKey": "resources.name={{bucket-access-control}}.properties.entity", + "searchValue": "", + "expectedValue": "'entity' should not equal to 'allUsers' or 'allAuthenticatedUsers'", + "actualValue": "'entity' is equal to 'allUsers'", + "issueType": "IncorrectValue" }, { "queryName": "Cloud Storage Bucket Is Publicly Accessible", "severity": "MEDIUM", "line": 5, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "storage.v1.bucketAccessControl", + "resourceName": "bucket-access-control", + "searchKey": "resources.name={{bucket-access-control}}.properties.entity", + "searchValue": "", + "expectedValue": "'entity' should not equal to 'allUsers' or 'allAuthenticatedUsers'", + "actualValue": "'entity' is equal to 'allAuthenticatedUsers'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json index 3eb292cd0a7..d3dc37b107f 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Cloud Storage Bucket Versioning Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "a-new-pubsub-topic", + "searchKey": "resources.name={{a-new-pubsub-topic}}.properties", + "searchValue": "", + "expectedValue": "'versioning' should be defined and not null", + "actualValue": "'versioning' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Cloud Storage Bucket Versioning Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "a-new-pubsub-topic2", + "searchKey": "resources.name={{a-new-pubsub-topic2}}.properties.versioning.enabled", + "searchValue": "", + "expectedValue": "'enabled' should be set to true", + "actualValue": "'enabled' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/test/positive_expected_result.json index 6dad84347c3..db5746a2476 100644 --- a/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Cluster Labels Disabled", "severity": "LOW", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "", + "expectedValue": "'resourceLabels' should be defined and not null", + "actualValue": "'resourceLabels' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json index 37ca92ffb33..cee8bf856c5 100644 --- a/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "", + "expectedValue": "'masterAuth' should be defined and not null", + "actualValue": "'masterAuth' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", "line": 5, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.masterAuth", + "searchValue": "", + "expectedValue": "Attribute 'masterAuth.username' should be defined and Attribute 'masterAuth.password' should be defined", + "actualValue": "Attribute 'masterAuth.username' is undefined or attribute 'masterAuth.password' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", "line": 5, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.masterAuth", + "searchValue": "", + "expectedValue": "Attribute 'masterAuth.username' should be defined and Attribute 'masterAuth.password' should be defined", + "actualValue": "Attribute 'masterAuth.username' is undefined or attribute 'masterAuth.password' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json index 7e5816b6e71..7d01fe20e06 100644 --- a/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Compute Instance Is Publicly Accessible", "severity": "MEDIUM", "line": 8, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "instance", + "searchKey": "resources.name={{instance}}.properties.networkInterfaces", + "searchValue": "", + "expectedValue": "'accessConfigs' should be undefined", + "actualValue": "'accessConfigs' is defined and not null", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/test/positive_expected_result.json index 46de3aa0e69..b8dd023b16d 100644 --- a/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "COS Node Image Not Used", "severity": "LOW", "line": 7, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "container.v1.nodePool", + "resourceName": "nodePool", + "searchKey": "resources.name={{nodePool}}.properties.config.imageType", + "searchValue": "", + "expectedValue": "'config.imageType' should start with 'cos'", + "actualValue": "'config.imageType' is ubuntu", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/test/positive_expected_result.json index 7586900135f..416318a34e0 100644 --- a/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template", + "searchKey": "resources.name={{vm-template}}.properties.disks", + "searchValue": "", + "expectedValue": "'diskEncryptionKey' should be defined and not null", + "actualValue": "'diskEncryptionKey' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 14, - "filename": "positive2.yaml" + "line": 18, + "filename": "positive1.yaml", + "resourceType": "compute.v1.disk", + "resourceName": "disk-3-data", + "searchKey": "resources.name={{disk-3-data}}.properties.disks", + "searchValue": "", + "expectedValue": "'diskEncryptionKey' should be defined and not null", + "actualValue": "'diskEncryptionKey' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 16, - "filename": "positive3.yaml" + "line": 14, + "filename": "positive2.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template2", + "searchKey": "resources.name={{vm-template2}}.properties.disks.diskEncryptionKey", + "searchValue": "", + "expectedValue": "'disk_encryption_key.rawKey' or 'disk_encryption_key.kmsKeyName' should be defined and not null", + "actualValue": "'disk_encryption_key.rawKey' and 'disk_encryption_key.kmsKeyName' are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 18, - "filename": "positive1.yaml" + "line": 23, + "filename": "positive2.yaml", + "resourceType": "compute.v1.disk", + "resourceName": "disk-4-data", + "searchKey": "resources.name={{disk-4-data}}.properties.diskEncryptionKey", + "searchValue": "", + "expectedValue": "'disk_encryption_key.rawKey' or 'disk_encryption_key.kmsKeyName' should be defined and not null", + "actualValue": "'disk_encryption_key.rawKey' and 'disk_encryption_key.kmsKeyName' are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 23, - "filename": "positive2.yaml" + "line": 16, + "filename": "positive3.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template3", + "searchKey": "resources.name={{vm-template3}}.properties.disks.diskEncryptionKey.rawKey", + "searchValue": "", + "expectedValue": "'diskEncryptionKey.rawKey' should not be empty", + "actualValue": "'diskEncryptionKey.rawKey' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 26, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "compute.v1.disk", + "resourceName": "disk-5-data", + "searchKey": "resources.name={{disk-5-data}}.properties.diskEncryptionKey.rawKey", + "searchValue": "", + "expectedValue": "'diskEncryptionKey.rawKey' should not be empty", + "actualValue": "'diskEncryptionKey.rawKey' is empty", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/test/positive_expected_result.json index f40a3d8a8a0..79ef6be4a0b 100644 --- a/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "DNSSEC Using RSASHA1", "severity": "MEDIUM", "line": 9, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "dns.v1.managedZone", + "resourceName": "dns", + "searchKey": "resources.name={{dns}}.properties.dnssecConfig.defaultKeySpecs", + "searchValue": "", + "expectedValue": "'algorithm' should not equal to 'rsasha1'", + "actualValue": "'algorithm' is equal to 'rsasha1'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json index a34c5e90f58..226c33c006e 100644 --- a/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "GKE Legacy Authorization Enabled", "severity": "HIGH", "line": 7, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.legacyAbac.enabled", + "searchValue": "", + "expectedValue": "'legacyAbac.enabled' should be false", + "actualValue": "'legacyAbac.enabled' is true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json index c2a87118b33..cdfe7583537 100644 --- a/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "GKE Master Authorized Networks Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "my-cluster", + "searchKey": "resources.name={{my-cluster}}.properties", + "searchValue": "", + "expectedValue": "'masterAuthorizedNetworksConfig' should be defined and not null", + "actualValue": "'masterAuthorizedNetworksConfig' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "GKE Master Authorized Networks Disabled", "severity": "MEDIUM", "line": 7, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "my-cluster", + "searchKey": "resources.name={{my-cluster}}.properties.masterAuthorizedNetworksConfig.enabled", + "searchValue": "", + "expectedValue": "'masterAuthorizedNetworksConfig.enabled' should be true", + "actualValue": "'masterAuthorizedNetworksConfig.enabled' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json index c73e8f724a2..68888327cca 100644 --- a/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Google Storage Bucket Level Access Disabled", "severity": "HIGH", "line": 11, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "a-new-pubsub-topic1", + "searchKey": "resources.name={{a-new-pubsub-topic1}}.properties.iamConfiguration.uniformBucketLevelAccess.enabled", + "searchValue": "", + "expectedValue": "'enabled' should be set to true", + "actualValue": "'enabled' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/test/positive_expected_result.json index db68ada83e5..fdd872f3ddb 100644 --- a/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "", + "expectedValue": "'ipAllocationPolicy' should be defined and not null", + "actualValue": "'ipAllocationPolicy' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.ipAllocationPolicy", + "searchValue": "", + "expectedValue": "'ipAllocationPolicy.useIpAliases' should be defined and not null", + "actualValue": "'ipAllocationPolicy.useIpAliases' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.ipAllocationPolicy.useIpAliases", + "searchValue": "", + "expectedValue": "'ipAllocationPolicy.useIpAliases' should be true", + "actualValue": "'ipAllocationPolicy.useIpAliases' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/test/positive_expected_result.json index d7d2261870e..0ebe7100832 100644 --- a/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "IP Forwarding Enabled", "severity": "MEDIUM", "line": 16, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template", + "searchKey": "resources.name={{vm-template}}.properties.canIpForward", + "searchValue": "", + "expectedValue": "'canIpForward' should not be set to true", + "actualValue": "'canIpForward' is set to true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json index 19d10797fc4..f381d3775ba 100644 --- a/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "MySQL Instance With Local Infile On", "severity": "HIGH", "line": 8, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "sqladmin.v1beta4.instance", + "resourceName": "db-instance", + "searchKey": "resources.name={{db-instance}}.properties.settings.databaseFlags[0]", + "searchValue": "", + "expectedValue": "'settings.databaseFlags[0]' should be 'off'", + "actualValue": "'settings.databaseFlags[0]' is equal to 'on'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json index 3d252b3cbfc..879664fa66f 100644 --- a/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Network Policy Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "addonsConfig", + "expectedValue": "'addonsConfig' should be defined and not null", + "actualValue": "'addonsConfig' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "networkPolicy", + "expectedValue": "'networkPolicy' should be defined and not null", + "actualValue": "'networkPolicy' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "addonsConfig", + "expectedValue": "'addonsConfig' should be defined and not null", + "actualValue": "'addonsConfig' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", "line": 7, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.networkPolicy.enabled", + "searchValue": "", + "expectedValue": "'networkPolicy.enabled' should be true", + "actualValue": "'networkPolicy.enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive3.yaml" + "line": 4, + "filename": "positive3.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "networkPolicy", + "expectedValue": "'networkPolicy' should be defined and not null", + "actualValue": "'networkPolicy' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 4, - "filename": "positive3.yaml" + "line": 8, + "filename": "positive3.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.addonsConfig.networkPolicyConfig.disabled", + "searchValue": "", + "expectedValue": "'addonsConfig.networkPolicyConfig.disabled' should be false", + "actualValue": "'addonsConfig.networkPolicyConfig.disabled' is true", + "issueType": "IncorrectValue" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 10, - "filename": "positive4.yaml" + "line": 7, + "filename": "positive4.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.networkPolicy.enabled", + "searchValue": "", + "expectedValue": "'networkPolicy.enabled' should be true", + "actualValue": "'networkPolicy.enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive4.yaml" + "line": 10, + "filename": "positive4.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.addonsConfig.networkPolicyConfig.disabled", + "searchValue": "", + "expectedValue": "'addonsConfig.networkPolicyConfig.disabled' should be false", + "actualValue": "'addonsConfig.networkPolicyConfig.disabled' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json index 41f14f2827f..62fdf307ef5 100644 --- a/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "", + "expectedValue": "'nodePools' should be defined and not null", + "actualValue": "'nodePools' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.nodePools", + "searchValue": "", + "expectedValue": "'nodePools.management' should be defined and not null", + "actualValue": "'nodePools.management' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.nodePools.management", + "searchValue": "", + "expectedValue": "'nodePools.management.autoUpgrade' should be defined and not null", + "actualValue": "'nodePools.management.autoUpgrade' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", "line": 9, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.nodePools.management.autoUpgrade", + "searchValue": "", + "expectedValue": "'nodePools.management.autoUpgrade' should be true", + "actualValue": "'nodePools.management.autoUpgrade' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/test/positive_expected_result.json index d8a159bff9b..9a337e24254 100644 --- a/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Not Proper Email Account In Use", "severity": "LOW", "line": 9, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "pubsub.v1.topic", + "resourceName": "a-new-pubsub-topic", + "searchKey": "accessControl.gcpIamPolicy.bindings[%!s(int=0)].members.user:jane@gmail.com", + "searchValue": "", + "expectedValue": "'members' cannot contain Gmail account addresses", + "actualValue": "'members' has email address: user:jane@gmail.com", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json index ad76c251278..65803809a5c 100644 --- a/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "OSLogin Is Disabled In VM Instance", "severity": "MEDIUM", "line": 10, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm", + "searchKey": "resources.name={{vm}}.properties.metadata.items[0]", + "searchValue": "", + "expectedValue": "'metadata.items[0]'.value should be true", + "actualValue": "'metadata.items[0]'.value is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/test/positive_expected_result.json index a9805abe4bb..527098846ba 100644 --- a/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Private Cluster Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "mycluster", + "searchKey": "resources.name={{mycluster}}.properties", + "searchValue": "", + "expectedValue": "'privateClusterConfig' should be defined and not null", + "actualValue": "'privateClusterConfig' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "mycluster2", + "searchKey": "resources.name={{mycluster2}}.properties.privateClusterConfig", + "searchValue": "", + "expectedValue": "'enablePrivateNodes' should be defined and not null", + "actualValue": "'enablePrivateNodes' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", "line": 7, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "mycluster2", + "searchKey": "resources.name={{mycluster2}}.properties.privateClusterConfig.enablePrivateEndpoint", + "searchValue": "", + "expectedValue": "'enablePrivateEndpoint' should be set to true", + "actualValue": "'enablePrivateEndpoint' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json index 975ce957b25..2e01e68ddf3 100644 --- a/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm", + "searchKey": "resources.name={{vm}}.properties", + "searchValue": "", + "expectedValue": "'metadata' should be defined and not null", + "actualValue": "'metadata' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", "severity": "MEDIUM", "line": 8, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm", + "searchKey": "resources.name={{vm}}.properties.metadata.items", + "searchValue": "", + "expectedValue": "'metadata.items' should have 'block-project-ssh-keys'", + "actualValue": "'metadata.items' does not have 'block-project-ssh-keys'", + "issueType": "MissingAttribute" }, { "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", "severity": "MEDIUM", "line": 12, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm", + "searchKey": "resources.name={{vm}}.properties.metadata.items[1].key", + "searchValue": "", + "expectedValue": "'metadata.items[1].value' should be true", + "actualValue": "'metadata.items[1].value' is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json index cc92fb60bc4..8ed9d9682db 100644 --- a/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", "line": 14, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "compute.v1.firewall", + "resourceName": "firewall", + "searchKey": "resources.name={{firewall}}.properties.allowed", + "searchValue": "", + "expectedValue": "'allowed.ports' to not include RDP port 3389", + "actualValue": "'allowed.ports' includes RDP port 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", "line": 14, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "compute.v1.firewall", + "resourceName": "firewall", + "searchKey": "resources.name={{firewall}}.properties.allowed", + "searchValue": "", + "expectedValue": "'allowed.ports' to not include RDP port 3389", + "actualValue": "'allowed.ports' includes RDP port 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", "line": 9, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "compute.v1.firewall", + "resourceName": "firewall", + "searchKey": "resources.name={{firewall}}.properties.allowed", + "searchValue": "", + "expectedValue": "'allowed.ports' to not include RDP port 3389", + "actualValue": "'allowed.ports' includes RDP port 3389", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/test/positive_expected_result.json index ee8a1dd650e..ee785541ee6 100644 --- a/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Shielded VM Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template", + "searchKey": "resources.name={{vm-template}}.properties", + "searchValue": "", + "expectedValue": "'shieldedInstanceConfig' should be defined and not null", + "actualValue": "'shieldedInstanceConfig' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", "line": 17, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template2", + "searchKey": "resources.name={{vm-template2}}.properties.shieldedInstanceConfig", + "searchValue": "enableIntegrityMonitoring", + "expectedValue": "'enableIntegrityMonitoring' should be defined and not null", + "actualValue": "'enableIntegrityMonitoring' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", "line": 17, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template2", + "searchKey": "resources.name={{vm-template2}}.properties.shieldedInstanceConfig", + "searchValue": "enableVtpm", + "expectedValue": "'enableVtpm' should be defined and not null", + "actualValue": "'enableVtpm' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", "line": 18, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template2", + "searchKey": "resources.name={{vm-template2}}.properties.shieldedInstanceConfig.enableSecureBoot", + "searchValue": "", + "expectedValue": "'enableSecureBoot' should be set to true", + "actualValue": "'enableSecureBoot' is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json index 98d4feb7317..532443b1f7d 100644 --- a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", "line": 5, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "sqladmin.v1beta4.instance", + "resourceName": "sql-instance", + "searchKey": "resources.name={{sql-instance}}.properties.settings", + "searchValue": "", + "expectedValue": "'settings.backupConfiguration' should be defined and not null", + "actualValue": "'settings.backupConfiguration' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", "line": 7, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "sqladmin.v1beta4.instance", + "resourceName": "sql-instance", + "searchKey": "resources.name={{sql-instance}}.properties.settings.backupConfiguration", + "searchValue": "", + "expectedValue": "'settings.backupConfiguration.enabled' should be defined and not null", + "actualValue": "'settings.backupConfiguration.enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "sqladmin.v1beta4.instance", + "resourceName": "sql-instance", + "searchKey": "resources.name={{sql-instance}}.properties.settings.backupConfiguration.enabled", + "searchValue": "", + "expectedValue": "'settings.backupConfiguration.enabled' should be true", + "actualValue": "'settings.backupConfiguration.enabled' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json index 137b73b9845..a473198ff1c 100644 --- a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", "line": 5, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "sqladmin.v1beta4.instance", + "resourceName": "sql-instance", + "searchKey": "resources.name={{sql-instance}}.properties.settings", + "searchValue": "", + "expectedValue": "'settings.ipConfiguration' should be defined and not null", + "actualValue": "'settings.ipConfiguration' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", "line": 7, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "sqladmin.v1beta4.instance", + "resourceName": "sql-instance", + "searchKey": "resources.name={{sql-instance}}.properties.settings.ipConfiguration", + "searchValue": "", + "expectedValue": "'settings.ipConfiguration.requireSsl' should be defined and not null", + "actualValue": "'settings.ipConfiguration.requireSsl' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", "line": 9, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "sqladmin.v1beta4.instance", + "resourceName": "sql-instance", + "searchKey": "resources.name={{sql-instance}}.properties.settings.ipConfiguration.requireSsl", + "searchValue": "", + "expectedValue": "'settings.ipConfiguration.requireSsl' should be true", + "actualValue": "'settings.ipConfiguration.requireSsl' is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json index 19728bf8299..e5c12d3e133 100644 --- a/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", "line": 10, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "compute.v1.firewall", + "resourceName": "firewall", + "searchKey": "resources.name={{firewall}}.properties.allowed[%!d(string=22)].ports=%!s(MISSING)", + "searchValue": "", + "expectedValue": "'allowed[0].ports' to not include SSH port 22", + "actualValue": "'allowed[0].ports' includes SSH port 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", "line": 10, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "compute.v1.firewall", + "resourceName": "firewall", + "searchKey": "resources.name={{firewall}}.properties.allowed[%!d(string=21-3390)].ports=%!s(MISSING)", + "searchValue": "", + "expectedValue": "'allowed[0].ports' to not include SSH port 22", + "actualValue": "'allowed[0].ports' includes SSH port 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", "line": 4, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "compute.v1.firewall", + "resourceName": "firewall", + "searchKey": "resources.name={{firewall}}.properties.allowed[%!d(string=0-65535)].ports=%!s(MISSING)", + "searchValue": "", + "expectedValue": "'allowed[0].ports' to not include SSH port 22", + "actualValue": "'allowed[0].ports' includes SSH port 22", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/test/positive_expected_result.json index 54222d9059a..3239e2e0bda 100644 --- a/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Stackdriver Logging Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "", + "expectedValue": "'loggingService' should be defined and not null", + "actualValue": "'loggingService' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Stackdriver Logging Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.loggingService", + "searchValue": "", + "expectedValue": "'loggingService' to not be none", + "actualValue": "'loggingService' is none", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json index 26074b13c9b..93c497c5c60 100644 --- a/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Stackdriver Monitoring Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "my-cluster", + "searchKey": "resources.name={{my-cluster}}.properties", + "searchValue": "", + "expectedValue": "'monitoringService' should be defined and not null", + "actualValue": "'monitoringService' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Stackdriver Monitoring Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "my-cluster", + "searchKey": "resources.name={{my-cluster}}.properties.monitoringService", + "searchValue": "", + "expectedValue": "'monitoringService' to not be 'none'", + "actualValue": "'monitoringService' is 'none'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive_expected_result.json index 831cb325438..09c29295fc0 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive_expected_result.json @@ -1,32 +1,67 @@ [ - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 3, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 11, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 19, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 24, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 31, - "fileName": "positive.yaml" - } + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 3, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{disk-1-data}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 11, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{disk-2-data}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 19, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{disk-3-data}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 24, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{disk-4-data}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 31, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{disk-5-data}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + } ] diff --git a/assets/queries/googleDeploymentManager/gcp_bom/pst/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp_bom/pst/test/positive_expected_result.json index 1afedf213ad..b7fe5e1e802 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/pst/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp_bom/pst/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "BOM - GCP PST", - "severity": "TRACE", - "line": 3, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP PST", - "severity": "TRACE", - "line": 8, - "fileName": "positive.yaml" - } + { + "queryName": "BOM - GCP PST", + "severity": "TRACE", + "line": 3, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{topic-1}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP PST", + "severity": "TRACE", + "line": 8, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{topic-2}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + } ] diff --git a/assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive_expected_result.json index 217d13d622a..fe7087ee2f2 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive_expected_result.json @@ -1,32 +1,67 @@ [ - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 2, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 12, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 20, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 33, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 44, - "fileName": "positive.yaml" - } + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 2, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{sample-input}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 12, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{sample-input2}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 20, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{sample-input3}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 33, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{sample-input4}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 44, + "filename": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{sample-input5}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + } ] diff --git a/assets/queries/grpc/enum_name_not_camel_case/test/positive_expected_result.json b/assets/queries/grpc/enum_name_not_camel_case/test/positive_expected_result.json index abf536df43f..4de8507ec89 100644 --- a/assets/queries/grpc/enum_name_not_camel_case/test/positive_expected_result.json +++ b/assets/queries/grpc/enum_name_not_camel_case/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Enum Name Not CamelCase", "severity": "INFO", - "line": 3 + "line": 3, + "filename": "positive.proto", + "resourceType": "", + "resourceName": "", + "searchKey": "enum[noInitCap]", + "searchValue": "", + "expectedValue": "Enum Name should follow CamelCase (Initial Letter is Capital)", + "actualValue": "Enum Name doesn't follow CamelCase", + "issueType": "IncorrectValue" }, { "queryName": "Enum Name Not CamelCase", "severity": "INFO", - "line": 10 + "line": 10, + "filename": "positive.proto", + "resourceType": "", + "resourceName": "", + "searchKey": "enum[NOT_CAMEL_CASE]", + "searchValue": "", + "expectedValue": "Enum Name should follow CamelCase (Initial Letter is Capital)", + "actualValue": "Enum Name doesn't follow CamelCase", + "issueType": "IncorrectValue" }, { "queryName": "Enum Name Not CamelCase", "severity": "INFO", - "line": 18 + "line": 18, + "filename": "positive.proto", + "resourceType": "", + "resourceName": "", + "searchKey": "enum[ALLCAPS]", + "searchValue": "", + "expectedValue": "Enum Name should follow CamelCase (Initial Letter is Capital)", + "actualValue": "Enum Name doesn't follow CamelCase", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/always_admit_admission_control_plugin_set/test/positive_expected_result.json b/assets/queries/k8s/always_admit_admission_control_plugin_set/test/positive_expected_result.json index 31ba5cb355b..0d54b89d6c8 100644 --- a/assets/queries/k8s/always_admit_admission_control_plugin_set/test/positive_expected_result.json +++ b/assets/queries/k8s/always_admit_admission_control_plugin_set/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Always Admit Admission Control Plugin Set", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--enable-admission-plugins flag should not contain 'AlwaysAdmit' plugin", + "actualValue": "--enable-admission-plugins flag contains 'AlwaysAdmit' plugin", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/test/positive_expected_result.json index d55ecb5d476..86d66bc314a 100644 --- a/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Always Pull Images Admission Control Plugin Not Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - } + { + "queryName": "Always Pull Images Admission Control Plugin Not Set", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--enable-admission-plugins flag should contain 'AlwaysPullImages' plugin", + "actualValue": "--enable-admission-plugins flag does not contain 'AlwaysPullImages' plugin", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive_expected_result.json index 90189e0113d..3abcfaf702c 100644 --- a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Anonymous Auth Is Not Set To False", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--anonymous-auth flag should be set to false", + "actualValue": "--anonymous-auth flag is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Anonymous Auth Is Not Set To False", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--anonymous-auth flag should be set to false", + "actualValue": "--anonymous-auth flag is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Anonymous Auth Is Not Set To False", "severity": "MEDIUM", "line": 11, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--anonymous-auth flag should be set to false", + "actualValue": "--anonymous-auth flag is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Anonymous Auth Is Not Set To False", "severity": "MEDIUM", "line": 11, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--anonymous-auth flag should be set to false", + "actualValue": "--anonymous-auth flag is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Anonymous Auth Is Not Set To False", "severity": "MEDIUM", "line": 9, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.authentication.enabled", + "searchValue": "", + "expectedValue": "authentication.anonymous.enabled attribute should be false", + "actualValue": "authentication.anonymous.enabled attribute is true", + "issueType": "IncorrectValue" }, { "queryName": "Anonymous Auth Is Not Set To False", "severity": "MEDIUM", "line": 7, - "filename": "positive6.json" + "filename": "positive6.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.authentication.enabled", + "searchValue": "", + "expectedValue": "authentication.anonymous.enabled attribute should be false", + "actualValue": "authentication.anonymous.enabled attribute is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/audit_log_maxage_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/audit_log_maxage_not_properly_set/test/positive_expected_result.json index f6dd72c9d09..f0d0aa9dc17 100644 --- a/assets/queries/k8s/audit_log_maxage_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_log_maxage_not_properly_set/test/positive_expected_result.json @@ -1,38 +1,80 @@ [ - { - "queryName": "Audit Log Maxage Not Properly Set", - "severity": "LOW", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Audit Log Maxage Not Properly Set", - "severity": "LOW", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Audit Log Maxage Not Properly Set", - "severity": "LOW", - "line": 12, - "fileName": "positive3.yaml" - }, - { - "queryName": "Audit Log Maxage Not Properly Set", - "severity": "LOW", - "line": 27, - "fileName": "positive3.yaml" - }, - { - "queryName": "Audit Log Maxage Not Properly Set", - "severity": "LOW", - "line": 40, - "fileName": "positive3.yaml" - }, - { - "queryName": "Audit Log Maxage Not Properly Set", - "severity": "LOW", - "line": 55, - "fileName": "positive3.yaml" - } + { + "queryName": "Audit Log Maxage Not Properly Set", + "severity": "LOW", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxage flag should be set to 30 or more days", + "actualValue": "--audit-log-maxage flag is set to less than 30 days", + "issueType": "IncorrectValue" + }, + { + "queryName": "Audit Log Maxage Not Properly Set", + "severity": "LOW", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", + "actualValue": "--audit-log-maxage flag is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Audit Log Maxage Not Properly Set", + "severity": "LOW", + "line": 12, + "filename": "positive3.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", + "actualValue": "--audit-log-maxage flag is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Audit Log Maxage Not Properly Set", + "severity": "LOW", + "line": 27, + "filename": "positive3.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", + "actualValue": "--audit-log-maxage flag is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Audit Log Maxage Not Properly Set", + "severity": "LOW", + "line": 40, + "filename": "positive3.yaml", + "resourceType": "Revision", + "resourceName": "dummy-rev", + "searchKey": "metadata.name={{dummy-rev}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", + "actualValue": "--audit-log-maxage flag is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Audit Log Maxage Not Properly Set", + "severity": "LOW", + "line": 55, + "filename": "positive3.yaml", + "resourceType": "ContainerSource", + "resourceName": "dummy-cs", + "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", + "actualValue": "--audit-log-maxage flag is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/audit_log_maxbackup_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/audit_log_maxbackup_not_properly_set/test/positive_expected_result.json index 7da00e34745..47444e0e2f8 100644 --- a/assets/queries/k8s/audit_log_maxbackup_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_log_maxbackup_not_properly_set/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Audit Log Maxbackup Not Properly Set", "severity": "LOW", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", + "actualValue": "--audit-log-maxbackup flag is set to less than 10 files", + "issueType": "IncorrectValue" }, { "queryName": "Audit Log Maxbackup Not Properly Set", "severity": "LOW", "line": 11, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxbackup flag should be defined and set to 10 or more files", + "actualValue": "--audit-log-maxbackup flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Audit Log Maxbackup Not Properly Set", "severity": "LOW", "line": 12, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", + "actualValue": "--audit-log-maxbackup flag is set to less than 10 files", + "issueType": "IncorrectValue" }, { "queryName": "Audit Log Maxbackup Not Properly Set", "severity": "LOW", "line": 27, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", + "actualValue": "--audit-log-maxbackup flag is set to less than 10 files", + "issueType": "IncorrectValue" }, { "queryName": "Audit Log Maxbackup Not Properly Set", "severity": "LOW", "line": 40, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "Revision", + "resourceName": "dummy-rev", + "searchKey": "metadata.name={{dummy-rev}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", + "actualValue": "--audit-log-maxbackup flag is set to less than 10 files", + "issueType": "IncorrectValue" }, { "queryName": "Audit Log Maxbackup Not Properly Set", "severity": "LOW", "line": 55, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "ContainerSource", + "resourceName": "dummy-cs", + "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", + "actualValue": "--audit-log-maxbackup flag is set to less than 10 files", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json index 50437ce4286..d3f21ce01dd 100644 --- a/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Audit Log Maxsize Not Properly Set", "severity": "LOW", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", + "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes", + "issueType": "IncorrectValue" }, { "queryName": "Audit Log Maxsize Not Properly Set", "severity": "LOW", "line": 11, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxsize flag should be defined and set to 100 or more MegaBytes", + "actualValue": "--audit-log-maxsize flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Audit Log Maxsize Not Properly Set", "severity": "LOW", "line": 12, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", + "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes", + "issueType": "IncorrectValue" }, { "queryName": "Audit Log Maxsize Not Properly Set", "severity": "LOW", "line": 27, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", + "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes", + "issueType": "IncorrectValue" }, { "queryName": "Audit Log Maxsize Not Properly Set", "severity": "LOW", "line": 40, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "Revision", + "resourceName": "dummy-rev", + "searchKey": "metadata.name={{dummy-rev}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", + "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes", + "issueType": "IncorrectValue" }, { "queryName": "Audit Log Maxsize Not Properly Set", "severity": "LOW", "line": 55, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "ContainerSource", + "resourceName": "dummy-cs", + "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", + "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/audit_log_path_not_set/test/positive_expected_result.json b/assets/queries/k8s/audit_log_path_not_set/test/positive_expected_result.json index d2d9950e15c..d8442ae14b4 100644 --- a/assets/queries/k8s/audit_log_path_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_log_path_not_set/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "Audit Log Path Not Set", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-path flag should be defined", + "actualValue": "--audit-log-path flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Audit Log Path Not Set", "severity": "MEDIUM", - "line": 55, - "fileName": "positive2.yaml" + "line": 12, + "filename": "positive2.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-path flag should be defined", + "actualValue": "--audit-log-path flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Audit Log Path Not Set", "severity": "MEDIUM", - "line": 12, - "fileName": "positive2.yaml" + "line": 27, + "filename": "positive2.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-path flag should be defined", + "actualValue": "--audit-log-path flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Audit Log Path Not Set", "severity": "MEDIUM", - "line": 27, - "fileName": "positive2.yaml" + "line": 40, + "filename": "positive2.yaml", + "resourceType": "Revision", + "resourceName": "dummy-rev", + "searchKey": "metadata.name={{dummy-rev}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-path flag should be defined", + "actualValue": "--audit-log-path flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Audit Log Path Not Set", "severity": "MEDIUM", - "line": 40, - "fileName": "positive2.yaml" + "line": 55, + "filename": "positive2.yaml", + "resourceType": "ContainerSource", + "resourceName": "dummy-cs", + "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-path flag should be defined", + "actualValue": "--audit-log-path flag is not defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/k8s/audit_policy_file_not_defined/test/positive_expected_result.json b/assets/queries/k8s/audit_policy_file_not_defined/test/positive_expected_result.json index feefd2c4b41..3544eae1a1e 100644 --- a/assets/queries/k8s/audit_policy_file_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_policy_file_not_defined/test/positive_expected_result.json @@ -1,20 +1,41 @@ [ - { - "queryName": "Audit Policy File Not Defined", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Audit Policy File Not Defined", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Audit Policy File Not Defined", - "severity": "MEDIUM", - "line": 12, - "fileName": "positive3.yaml" - } + { + "queryName": "Audit Policy File Not Defined", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-policy-file flag should be defined", + "actualValue": "--audit-policy-file is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Audit Policy File Not Defined", + "severity": "MEDIUM", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-policy-file flag should have a valid file", + "actualValue": "--audit-policy-file does not have a valid file", + "issueType": "IncorrectValue" + }, + { + "queryName": "Audit Policy File Not Defined", + "severity": "MEDIUM", + "line": 12, + "filename": "positive3.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-policy-file flag should be defined", + "actualValue": "--audit-policy-file is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json b/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json index 6283d929b54..7eee5a7de9c 100644 --- a/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json @@ -3,102 +3,221 @@ "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "pods/exec", + "expectedValue": "Resource 'pods/exec' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "pods", + "expectedValue": "Resource 'pods' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'pods' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "secrets", + "expectedValue": "Resource 'secrets' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'secrets' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "deployments", + "expectedValue": "Resource 'deployments' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'deployments' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "pods/proxy", + "expectedValue": "Resource 'pods/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/proxy' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "configmaps", + "expectedValue": "Resource 'configmaps' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "services/proxy", + "expectedValue": "Resource 'services/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "tokenreviews", + "expectedValue": "Resource 'tokenreviews' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'tokenreviews' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "pods/portforward", + "expectedValue": "Resource 'pods/portforward' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/portforward' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 4, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "pods/exec", + "expectedValue": "Resource 'pods/exec' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 4, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "pods/portforward", + "expectedValue": "Resource 'pods/portforward' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/portforward' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 4, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "pods/proxy", + "expectedValue": "Resource 'pods/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/proxy' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 4, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "secrets", + "expectedValue": "Resource 'secrets' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'secrets' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 4, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "tokenreviews", + "expectedValue": "Resource 'tokenreviews' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'tokenreviews' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 4, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "configmaps", + "expectedValue": "Resource 'configmaps' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 4, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "services/proxy", + "expectedValue": "Resource 'services/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "deployments", + "expectedValue": "Resource 'deployments' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'deployments' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/k8s/authorization_mode_node_not_set/test/positive_expected_result.json b/assets/queries/k8s/authorization_mode_node_not_set/test/positive_expected_result.json index eea4b0a2e53..279df677e88 100644 --- a/assets/queries/k8s/authorization_mode_node_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/authorization_mode_node_not_set/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Authorization Mode Node Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag should contain 'Node' mode", + "actualValue": "--authorization-mode flag does not contain 'Node' mode", + "issueType": "MissingAttribute" }, { "queryName": "Authorization Mode Node Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag should contain 'Node' mode", + "actualValue": "--authorization-mode flag does not contain 'Node' mode", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json b/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json index 80c0e857697..a1770850263 100644 --- a/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Authorization Mode RBAC Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag should contain 'RBAC' mode", + "actualValue": "--authorization-mode flag does not contain 'RBAC' mode", + "issueType": "MissingAttribute" }, { "queryName": "Authorization Mode RBAC Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag should contain 'RBAC' mode", + "actualValue": "--authorization-mode flag does not contain 'RBAC' mode", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json index 174d3224c48..9418748b8c6 100644 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Authorization Mode Set To Always Allow", "severity": "HIGH", "line": 11, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag to not have 'AlwaysAllow' mode", + "actualValue": "--authorization-mode flag contains 'AlwaysAllow' mode", + "issueType": "IncorrectValue" }, { "queryName": "Authorization Mode Set To Always Allow", "severity": "HIGH", "line": 11, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag to not have 'AlwaysAllow' mode", + "actualValue": "--authorization-mode flag contains 'AlwaysAllow' mode", + "issueType": "IncorrectValue" }, { "queryName": "Authorization Mode Set To Always Allow", "severity": "HIGH", "line": 11, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag to not have 'AlwaysAllow' mode", + "actualValue": "--authorization-mode flag contains 'AlwaysAllow' mode", + "issueType": "IncorrectValue" }, { "queryName": "Authorization Mode Set To Always Allow", "severity": "HIGH", "line": 11, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag to not have 'AlwaysAllow' mode", + "actualValue": "--authorization-mode flag contains 'AlwaysAllow' mode", + "issueType": "IncorrectValue" }, { "queryName": "Authorization Mode Set To Always Allow", "severity": "HIGH", "line": 11, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.authorization.mode", + "searchValue": "", + "expectedValue": "authorization.mode attribute should not be 'AlwaysAllow'", + "actualValue": "authorization.mode attribute is equal to 'AlwaysAllow'", + "issueType": "IncorrectValue" }, { "queryName": "Authorization Mode Set To Always Allow", "severity": "HIGH", "line": 6, - "filename": "positive6.json" + "filename": "positive6.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.authorization.mode", + "searchValue": "", + "expectedValue": "authorization.mode attribute should not be 'AlwaysAllow'", + "actualValue": "authorization.mode attribute is equal to 'AlwaysAllow'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/auto_tls_set_to_true/test/positive_expected_result.json b/assets/queries/k8s/auto_tls_set_to_true/test/positive_expected_result.json index e34115cbfc9..7f09ac4142b 100644 --- a/assets/queries/k8s/auto_tls_set_to_true/test/positive_expected_result.json +++ b/assets/queries/k8s/auto_tls_set_to_true/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Auto TLS Set To True", "severity": "MEDIUM", "line": 21, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "", + "expectedValue": "--auto-tls flag should be set to false or not be defined", + "actualValue": "--auto-tls flag is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/basic_auth_file_is_set/test/positive_expected_result.json b/assets/queries/k8s/basic_auth_file_is_set/test/positive_expected_result.json index c1651f47ffa..ca658595b76 100644 --- a/assets/queries/k8s/basic_auth_file_is_set/test/positive_expected_result.json +++ b/assets/queries/k8s/basic_auth_file_is_set/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Basic Auth File Is Set", "severity": "HIGH", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--basic-auth-file flag should not be set", + "actualValue": "--basic-auth-file flag is set", + "issueType": "IncorrectValue" }, { "queryName": "Basic Auth File Is Set", "severity": "HIGH", "line": 11, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--basic-auth-file flag should not be set", + "actualValue": "--basic-auth-file flag is set", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json index 07dd9af49e0..37f387af819 100644 --- a/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Bind Address Not Properly Set", "severity": "INFO", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--bind-address flag should not be set to 127.0.0.1", + "actualValue": "--bind-address flag is set to a 127.0.01", + "issueType": "IncorrectValue" }, { "queryName": "Bind Address Not Properly Set", "severity": "INFO", "line": 11, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--bind-address flag should not be set to 127.0.0.1", + "actualValue": "--bind-address flag is set to a 127.0.01", + "issueType": "IncorrectValue" }, { "queryName": "Bind Address Not Properly Set", "severity": "INFO", "line": 20, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "kube-scheduler", + "searchKey": "metadata.name={{kube-scheduler}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--bind-address flag should not be set to 127.0.0.1", + "actualValue": "--bind-address flag is set to a 127.0.01", + "issueType": "IncorrectValue" }, { "queryName": "Bind Address Not Properly Set", "severity": "INFO", "line": 20, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "kube-scheduler", + "searchKey": "metadata.name={{kube-scheduler}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--bind-address flag should not be set to 127.0.0.1", + "actualValue": "--bind-address flag is set to a 127.0.01", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json index 9fe04be75e3..bcf6f02308d 100644 --- a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json +++ b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "Client Certification should have a .pem or .crt file", + "actualValue": "Client Certification is not properly set", + "issueType": "IncorrectValue" }, { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", "line": 11, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "Client Certification should have a .pem or .crt file", + "actualValue": "Client Certification is not properly set", + "issueType": "IncorrectValue" }, { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", "line": 11, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "Client Certification should be set", + "actualValue": "Client Certification is not set", + "issueType": "MissingAttribute" }, { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", "line": 2, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "", + "expectedValue": "Client Certification should have a .pem or .crt file", + "actualValue": "Client Certification is not properly set", + "issueType": "IncorrectValue" }, { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", "line": 2, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "", + "expectedValue": "Client Certification should be set", + "actualValue": "Client Certification is not set", + "issueType": "MissingAttribute" }, { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", "line": 2, - "fileName": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "", + "expectedValue": "Client Certification should be set", + "actualValue": "Client Certification is not set", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json b/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json index 7dc8cf23ce2..307c04c80a7 100644 --- a/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Cluster Admin Rolebinding With Superuser Permissions", "severity": "LOW", - "line": 11 + "line": 11, + "filename": "positive.yaml", + "resourceType": "ClusterRoleBinding", + "resourceName": "tiller-clusterrolebinding", + "searchKey": "metadata.name={{tiller-clusterrolebinding}}.roleRef.name=cluster-admin", + "searchValue": "", + "expectedValue": "Resource name 'tiller-clusterrolebinding' of kind 'ClusterRoleBinding' isn't binding 'cluster-admin' role with superuser permissions", + "actualValue": "Resource name 'tiller-clusterrolebinding' of kind 'ClusterRoleBinding' is binding 'cluster-admin' role with superuser permissions", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive_expected_result.json b/assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive_expected_result.json index 3f8fa2aa8f3..5fd149d1f66 100644 --- a/assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive_expected_result.json +++ b/assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ - { - "queryName": "Cluster Allows Unsafe Sysctls", - "severity": "HIGH", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Cluster Allows Unsafe Sysctls", - "severity": "HIGH", - "line": 13, - "fileName": "positive1.yaml" - }, - { - "queryName": "Cluster Allows Unsafe Sysctls", - "severity": "HIGH", - "line": 24, - "fileName": "positive1.yaml" - }, - { - "queryName": "Cluster Allows Unsafe Sysctls", - "severity": "HIGH", - "line": 18, - "fileName": "positive2.yaml" - } + { + "queryName": "Cluster Allows Unsafe Sysctls", + "severity": "HIGH", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "sysctl-example", + "searchKey": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{net.core.somaxconn}}", + "searchValue": "", + "expectedValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{net.core.somaxconn}} should not be used", + "actualValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{net.core.somaxconn}} is an unsafe sysctl", + "issueType": "IncorrectValue" + }, + { + "queryName": "Cluster Allows Unsafe Sysctls", + "severity": "HIGH", + "line": 13, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "sysctl-example", + "searchKey": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{kernel.msgmax}}", + "searchValue": "", + "expectedValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{kernel.msgmax}} should not be used", + "actualValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{kernel.msgmax}} is an unsafe sysctl", + "issueType": "IncorrectValue" + }, + { + "queryName": "Cluster Allows Unsafe Sysctls", + "severity": "HIGH", + "line": 24, + "filename": "positive1.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "sysctl-psp", + "searchKey": "metadata.name={{sysctl-psp}}.spec.allowedUnsafeSysctls", + "searchValue": "", + "expectedValue": "metadata.name={{sysctl-psp}}.spec.allowedUnsafeSysctls should be undefined", + "actualValue": "metadata.name={{sysctl-psp}}.spec.allowedUnsafeSysctls is defined", + "issueType": "IncorrectValue" + }, + { + "queryName": "Cluster Allows Unsafe Sysctls", + "severity": "HIGH", + "line": 18, + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "test-app", + "searchKey": "metadata.name={{test-app}}.spec.template.spec.securityContext.sysctls.name={{kernel.sem}}", + "searchValue": "", + "expectedValue": "metadata.name={{test-app}}.spec.template.spec.securityContext.sysctls.name={{kernel.sem}} should not be used", + "actualValue": "metadata.name={{test-app}}.spec.template.spec.securityContext.sysctls.name={{kernel.sem}} is an unsafe sysctl", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/negative.json b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/negative.json index 74e9d872042..4055201320e 100644 --- a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/negative.json +++ b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/negative.json @@ -1,26 +1,15 @@ { - "name": "k8s-pod-network", - "cniVersion": "0.3.0", - "plugins": [ - { - "type": "calico", - "log_level": "info", - "datastore_type": "kubernetes", - "nodename": "127.0.0.1", - "ipam": { - "type": "host-local", - "subnet": "usePodCidr" - }, - "policy": { - "type": "k8s" - }, - "kubernetes": { - "kubeconfig": "/etc/cni/net.d/calico-kubeconfig" - } - }, - { - "type": "portmap", - "capabilities": {"portMappings": true} + "apiVersion": "v1", + "kind": "ConfigMap", + "metadata": { + "name": "kube-calico-cfg", + "namespace": "kube-system", + "labels": { + "tier": "node", + "app": "calico" } - ] + }, + "data": { + "cni-conf.json": "{\"name\":\"k8s-pod-network\",\"plugins\":[{\"type\":\"calico\",\"log_level\":\"info\",\"datastore_type\":\"kubernetes\",\"nodename\":\"127.0.0.1\",\"ipam\":{\"type\":\"host-local\",\"subnet\":\"usePodCidr\"},\"policy\":{\"type\":\"k8s\"},\"kubernetes\":{\"kubeconfig\":\"/etc/cni/net.d/calico-kubeconfig\"}},{\"type\":\"portmap\",\"capabilities\":{\"portMappings\":true}}]}" + } } diff --git a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive.json b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive.json index f5af842cc4e..9d3e29b608b 100644 --- a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive.json +++ b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive.json @@ -1,4 +1,6 @@ { + "kind": "KubeletConfiguration", + "apiVersion": "kubelet.config.k8s.io/v1beta1", "name": "k8s-pod-network", "cniVersion": "0.3.0", "plugins": [ diff --git a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive_expected_result.json b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive_expected_result.json index 954e413166f..cd1b45ada05 100644 --- a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive_expected_result.json +++ b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive_expected_result.json @@ -2,13 +2,27 @@ { "queryName": "CNI Plugin Does Not Support Network Policies", "severity": "MEDIUM", - "line": 6, - "fileName": "positive.json" + "line": 8, + "filename": "", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "plugins", + "searchValue": "", + "expectedValue": "Plugins should not contain a plugin that does not support Network Policies", + "actualValue": "Plugins contains a plugin that does not support Network Policies", + "issueType": "IncorrectValue" }, { "queryName": "CNI Plugin Does Not Support Network Policies", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "ConfigMap", + "resourceName": "kube-flannel-cfg", + "searchKey": "data.cni-conf.json", + "searchValue": "", + "expectedValue": "Plugins should not contain a plugin that does not support Network Policies", + "actualValue": "Plugins contains a plugin that does not support Network Policies", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json b/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json index 82fa1663583..666f63fb445 100644 --- a/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json +++ b/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Container Is Privileged", "severity": "HIGH", "line": 10, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-4", + "searchKey": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-4}}.securityContext.privileged", + "searchValue": "", + "expectedValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-4}}.securityContext.privileged is unset or false", + "actualValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-4}}.securityContext.privileged is true", + "issueType": "IncorrectValue" }, { "queryName": "Container Is Privileged", "severity": "HIGH", "line": 23, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-5", + "searchKey": "metadata.name={{security-context-demo-5}}.spec.initContainers.name={{sec-ctx-4}}.securityContext.privileged", + "searchValue": "", + "expectedValue": "metadata.name={{security-context-demo-5}}.spec.initContainers.name={{sec-ctx-4}}.securityContext.privileged is unset or false", + "actualValue": "metadata.name={{security-context-demo-5}}.spec.initContainers.name={{sec-ctx-4}}.securityContext.privileged is true", + "issueType": "IncorrectValue" }, { "queryName": "Container Is Privileged", "severity": "HIGH", "line": 21, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "test-deployment", + "searchKey": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.securityContext.privileged", + "searchValue": "", + "expectedValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.securityContext.privileged is unset or false", + "actualValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.securityContext.privileged is true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/container_runs_unmasked/test/positive_expected_result.json b/assets/queries/k8s/container_runs_unmasked/test/positive_expected_result.json index 1d2470f17f5..b4a620fc654 100644 --- a/assets/queries/k8s/container_runs_unmasked/test/positive_expected_result.json +++ b/assets/queries/k8s/container_runs_unmasked/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Container Runs Unmasked", "severity": "HIGH", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec.allowedProcMountTypes", + "searchValue": "", + "expectedValue": "AllowedProcMountTypes should contain the value Default", + "actualValue": "AllowedProcMountTypes contains the value Unmasked", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/containers_run_with_low_uid/test/positive_expected_result.json b/assets/queries/k8s/containers_run_with_low_uid/test/positive_expected_result.json index 081d3da70a3..59868bb41e4 100644 --- a/assets/queries/k8s/containers_run_with_low_uid/test/positive_expected_result.json +++ b/assets/queries/k8s/containers_run_with_low_uid/test/positive_expected_result.json @@ -3,102 +3,221 @@ "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 12, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser=2000", + "searchValue": "Pod", + "expectedValue": "1 metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" + }, + { + "queryName": "Container Running With Low UID", + "severity": "MEDIUM", + "line": 18, + "filename": "positive10.yaml", + "resourceType": "StatefulSet", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", + "searchValue": "StatefulSet", + "expectedValue": "3 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be defined", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Container Running With Low UID", + "severity": "MEDIUM", + "line": 36, + "filename": "positive10.yaml", + "resourceType": "Deployment", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", + "searchValue": "Deployment", + "expectedValue": "3 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be defined", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 13, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser=333", + "searchValue": "Pod", + "expectedValue": "1 metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 18, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser=340", + "searchValue": "Pod", + "expectedValue": "1 metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 12, - "fileName": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "containers-runs-as-root", + "searchKey": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser=13", + "searchValue": "Pod", + "expectedValue": "1 metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 18, - "fileName": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.securityContext.runAsUser=1200", + "searchValue": "Deployment", + "expectedValue": "2 metadata.name={{securitydemo}}.spec.template.spec.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 18, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext", + "searchValue": "Deployment", + "expectedValue": "3 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser should be defined", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 24, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext", + "searchValue": "Deployment", + "expectedValue": "3 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser should be defined", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 25, - "fileName": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser=1234", + "searchValue": "Deployment", + "expectedValue": "1 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 32, - "fileName": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser=5678", + "searchValue": "Deployment", + "expectedValue": "1 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 23, - "fileName": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser=1234", + "searchValue": "Deployment", + "expectedValue": "1 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 25, - "fileName": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}", + "searchValue": "Deployment", + "expectedValue": "3 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser should be defined", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 21, - "fileName": "positive8.yaml" + "filename": "positive8.yaml", + "resourceType": "StatefulSet", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser=1", + "searchValue": "StatefulSet", + "expectedValue": "1 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 43, - "fileName": "positive8.yaml" + "filename": "positive8.yaml", + "resourceType": "Deployment", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser=1", + "searchValue": "Deployment", + "expectedValue": "1 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 18, - "fileName": "positive9.yaml" + "filename": "positive9.yaml", + "resourceType": "StatefulSet", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser=1000", + "searchValue": "StatefulSet", + "expectedValue": "2 metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 38, - "fileName": "positive9.yaml" - }, - { - "queryName": "Container Running With Low UID", - "severity": "MEDIUM", - "line": 18, - "fileName": "positive10.yaml" - }, - { - "queryName": "Container Running With Low UID", - "severity": "MEDIUM", - "line": 36, - "fileName": "positive10.yaml" + "filename": "positive9.yaml", + "resourceType": "Deployment", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser=1000", + "searchValue": "Deployment", + "expectedValue": "2 metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json b/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json index a2faab363dc..4eb3f3b0722 100644 --- a/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json +++ b/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json @@ -1,86 +1,184 @@ [ - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 12, - "fileName": "positive1.yaml" - }, - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 28, - "fileName": "positive1.yaml" - }, - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 43, - "fileName": "positive1.yaml" - }, - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 17, - "fileName": "positive2.yaml" - }, - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 12, - "fileName": "positive2.yaml" - }, - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 12, - "fileName": "positive3.yaml" - }, - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 7, - "fileName": "positive4.yaml" - }, - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive4.yaml" - }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 12, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 28, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-3", + "searchKey": "metadata.name={{security-context-demo-3}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-3}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-3}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 43, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-4", + "searchKey": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 12, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 17, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 12, + "filename": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "containers-runs-as-root", + "searchKey": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 7, + "filename": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-1}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-1}}.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-1}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "MissingAttribute" + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 11, + "filename": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue" + }, { "queryName": "Container Running As Root", "severity": "MEDIUM", "line": 20, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "StatefulSet", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser", + "searchValue": "StatefulSet", + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue" }, { "queryName": "Container Running As Root", "severity": "MEDIUM", "line": 42, - "fileName": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "Deployment", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue" }, { "queryName": "Container Running As Root", "severity": "MEDIUM", "line": 17, - "fileName": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "StatefulSet", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser", + "searchValue": "StatefulSet", + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue" }, { "queryName": "Container Running As Root", "severity": "MEDIUM", "line": 37, - "fileName": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "Deployment", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue" }, { "queryName": "Container Running As Root", "severity": "MEDIUM", "line": 18, - "fileName": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "StatefulSet", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", + "searchValue": "StatefulSet", + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "MissingAttribute" }, { "queryName": "Container Running As Root", "severity": "MEDIUM", "line": 36, - "fileName": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "Deployment", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/k8s/containers_with_added_capabilities/test/positive_expected_result.json b/assets/queries/k8s/containers_with_added_capabilities/test/positive_expected_result.json index 6d5c8e6976e..9bd3272dcd7 100644 --- a/assets/queries/k8s/containers_with_added_capabilities/test/positive_expected_result.json +++ b/assets/queries/k8s/containers_with_added_capabilities/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Containers With Added Capabilities", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "pod2", + "searchKey": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.capabilities.add", + "searchValue": "", + "expectedValue": "metadata.name={{pod2}}.spec.containers.name={{app}} has no capability added other than NET_BIND_SERVICE", + "actualValue": "metadata.name={{pod2}}.spec.containers.name={{app}} has a capability added other than NET_BIND_SERVICE", + "issueType": "IncorrectValue" }, { "queryName": "Containers With Added Capabilities", "severity": "MEDIUM", - "line": 43 + "line": 43, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "pod3", + "searchKey": "metadata.name={{pod3}}.spec.initContainers.name={{app}}.securityContext.capabilities.add", + "searchValue": "", + "expectedValue": "metadata.name={{pod3}}.spec.initContainers.name={{app}} has no capability added other than NET_BIND_SERVICE", + "actualValue": "metadata.name={{pod3}}.spec.initContainers.name={{app}} has a capability added other than NET_BIND_SERVICE", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/containers_with_sys_admin_capabilities/test/positive_expected_result.json b/assets/queries/k8s/containers_with_sys_admin_capabilities/test/positive_expected_result.json index 6882f8cf635..1281bffaf22 100644 --- a/assets/queries/k8s/containers_with_sys_admin_capabilities/test/positive_expected_result.json +++ b/assets/queries/k8s/containers_with_sys_admin_capabilities/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Containers With Sys Admin Capabilities", "severity": "HIGH", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "pod4", + "searchKey": "metadata.name={{pod4}}.spec.containers.name={{app}}.securityContext.capabilities.add", + "searchValue": "", + "expectedValue": "spec.containers.name=app should not use CAP_SYS_ADMIN Linux capability", + "actualValue": "spec.containers.name=app uses CAP_SYS_ADMIN Linux capability", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/cpu_limits_not_set/test/positive_expected_result.json b/assets/queries/k8s/cpu_limits_not_set/test/positive_expected_result.json index 3b9e5802174..ddb2a053613 100644 --- a/assets/queries/k8s/cpu_limits_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/cpu_limits_not_set/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "CPU Limits Not Set", "severity": "LOW", "line": 10, - "fineName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.spec.containers.name={{app}}.resources.limits", + "searchValue": "", + "expectedValue": "spec.containers.name=app has CPU limits", + "actualValue": "spec.containers.name=app doesn't have CPU limits", + "issueType": "MissingAttribute" }, { "queryName": "CPU Limits Not Set", "severity": "LOW", "line": 14, - "fineName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.spec.containers.name={{log-aggregator}}.resources", + "searchValue": "", + "expectedValue": "spec.containers.name=log-aggregator has limits defined", + "actualValue": "spec.containers.name=log-aggregator doesn't have limits defined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Limits Not Set", "severity": "LOW", "line": 31, - "fineName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{app}}.resources.limits", + "searchValue": "", + "expectedValue": "spec.template.spec.containers.name=app has CPU limits", + "actualValue": "spec.template.spec.containers.name=app doesn't have CPU limits", + "issueType": "MissingAttribute" }, { "queryName": "CPU Limits Not Set", "severity": "LOW", "line": 35, - "fineName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{log-aggregator}}.resources", + "searchValue": "", + "expectedValue": "spec.template.spec.containers.name=log-aggregator has limits defined", + "actualValue": "spec.template.spec.containers.name=log-aggregator doesn't have limits defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/cpu_requests_not_set/test/positive_expected_result.json b/assets/queries/k8s/cpu_requests_not_set/test/positive_expected_result.json index 888b2a2deb2..7c0c0e5ba76 100644 --- a/assets/queries/k8s/cpu_requests_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/cpu_requests_not_set/test/positive_expected_result.json @@ -2,21 +2,53 @@ { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.spec.containers.name={{app}}.resources.requests", + "searchValue": "Pod", + "expectedValue": "spec.containers.name={{app}}.resources.requests should have CPU requests", + "actualValue": "spec.containers.name={{app}}.resources.requests doesn't have CPU requests", + "issueType": "MissingAttribute" }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 15 + "line": 15, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.spec.containers.name=log-aggregator", + "searchValue": "Pod", + "expectedValue": "spec.containers.name=log-aggregator should have resources defined", + "actualValue": "spec.containers.name=log-aggregator doesn't have resources defined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 30 + "line": 30, + "filename": "positive.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{app}}.resources.requests", + "searchValue": "Configuration", + "expectedValue": "spec.template.spec.containers.name={{app}}.resources.requests should have CPU requests", + "actualValue": "spec.template.spec.containers.name={{app}}.resources.requests doesn't have CPU requests", + "issueType": "MissingAttribute" }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 37 + "line": 37, + "filename": "positive.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{log-aggregator}}.resources", + "searchValue": "Configuration", + "expectedValue": "spec.template.spec.containers.name=log-aggregator.resources should have requests defined", + "actualValue": "spec.template.spec.containers.name=log-aggregator.resources doesn't have requests defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/k8s/cronjob_deadline_not_configured/test/positive_expected_result.json b/assets/queries/k8s/cronjob_deadline_not_configured/test/positive_expected_result.json index f0639d33d8a..098f6a97758 100644 --- a/assets/queries/k8s/cronjob_deadline_not_configured/test/positive_expected_result.json +++ b/assets/queries/k8s/cronjob_deadline_not_configured/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "CronJob Deadline Not Configured", - "severity": "LOW", - "line": 6 - } + { + "queryName": "CronJob Deadline Not Configured", + "severity": "LOW", + "line": 6, + "filename": "positive.yaml", + "resourceType": "CronJob", + "resourceName": "hello", + "searchKey": "metadata.name={{hello}}.spec", + "searchValue": "", + "expectedValue": "spec.startingDeadlineSeconds should be defined", + "actualValue": "spec.startingDeadlineSeconds is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/dashboard_is_enabled/test/positive_expected_result.json b/assets/queries/k8s/dashboard_is_enabled/test/positive_expected_result.json index be1e86defc1..6fe2c80a90d 100644 --- a/assets/queries/k8s/dashboard_is_enabled/test/positive_expected_result.json +++ b/assets/queries/k8s/dashboard_is_enabled/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ - { - "queryName": "Dashboard Is Enabled", - "severity": "LOW", - "line": 22 - }, - { - "queryName": "Dashboard Is Enabled", - "severity": "LOW", - "line": 67 - } + { + "queryName": "Dashboard Is Enabled", + "severity": "LOW", + "line": 22, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "kubernetes-dashboard-1", + "searchKey": "metadata.name={{kubernetes-dashboard-1}}.spec.template.spec.containers.name={{kubernetes-dashboard}}.image", + "searchValue": "", + "expectedValue": "metadata.name={{kubernetes-dashboard-1}}.spec.template.spec.containers.name={{kubernetes-dashboard}}.image has not kubernetes-dashboard deployed", + "actualValue": "metadata.name={{kubernetes-dashboard-1}}.spec.template.spec.containers.name={{kubernetes-dashboard}}.image has kubernetes-dashboard deployed", + "issueType": "IncorrectValue" + }, + { + "queryName": "Dashboard Is Enabled", + "severity": "LOW", + "line": 67, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "myapp-pod", + "searchKey": "metadata.name={{myapp-pod}}.spec.initContainers.name={{init-myservice}}.image", + "searchValue": "", + "expectedValue": "metadata.name={{myapp-pod}}.spec.initContainers.name={{init-myservice}}.image has not kubernetes-dashboard deployed", + "actualValue": "metadata.name={{myapp-pod}}.spec.initContainers.name={{init-myservice}}.image has kubernetes-dashboard deployed", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json b/assets/queries/k8s/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json index 54d5837dd84..74294337c9c 100644 --- a/assets/queries/k8s/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json +++ b/assets/queries/k8s/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ - { - "queryName": "Deployment Has No PodAntiAffinity", - "severity": "LOW", - "line": 19 - }, - { - "queryName": "Deployment Has No PodAntiAffinity", - "severity": "LOW", - "line": 39 - } + { + "queryName": "Deployment Has No PodAntiAffinity", + "severity": "LOW", + "line": 19, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "label-mismatch", + "searchKey": "metadata.name={{label-mismatch}}.spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution.labelSelector.matchLabels", + "searchValue": "", + "expectedValue": "'spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels' match any label on template metadata", + "actualValue": "'spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels' don't match any label on template metadata", + "issueType": "IncorrectValue" + }, + { + "queryName": "Deployment Has No PodAntiAffinity", + "severity": "LOW", + "line": 39, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "no-affinity", + "searchKey": "metadata.name={{no-affinity}}.spec.template.spec", + "searchValue": "", + "expectedValue": "'spec.template.spec.affinity' should be set", + "actualValue": "'spec.template.spec.affinity' is undefined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/deployment_without_pod_disruption_budget/test/positive_expected_result.json b/assets/queries/k8s/deployment_without_pod_disruption_budget/test/positive_expected_result.json index 2576b9bc43d..62ce2de54c6 100644 --- a/assets/queries/k8s/deployment_without_pod_disruption_budget/test/positive_expected_result.json +++ b/assets/queries/k8s/deployment_without_pod_disruption_budget/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Deployment Without PodDisruptionBudget", "severity": "LOW", - "line": 20 + "line": 20, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "metadata.name={{nginx-deployment}}.spec.selector.matchLabels", + "searchValue": "", + "expectedValue": "metadata.name=nginx-deployment is targeted by a PodDisruptionBudget", + "actualValue": "metadata.name=nginx-deployment is not targeted by a PodDisruptionBudget", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json b/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json index 4389559e412..191ccd4362a 100644 --- a/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json +++ b/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "test-pd", + "searchKey": "metadata.name={{test-pd}}.spec.volumes.name={{test-volume}}.hostPath.path", + "searchValue": "", + "expectedValue": "metadata.name={{test-pd}}.spec.volumes.name={{test-volume}}.hostPath.path should not be '/var/run/docker.sock'", + "actualValue": "metadata.name={{test-pd}}.spec.volumes.name={{test-volume}}.hostPath.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue" }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 43 + "line": 43, + "filename": "positive.yaml", + "resourceType": "ReplicationController", + "resourceName": "node-manager", + "searchKey": "metadata.name={{node-manager}}.spec.template.spec.volumes.name={{test-volume}}.hostPath.path", + "searchValue": "", + "expectedValue": "metadata.name={{node-manager}}.spec.template.spec.volumes.name={{test-volume}}.hostPath.path should not be '/var/run/docker.sock'", + "actualValue": "metadata.name={{node-manager}}.spec.template.spec.volumes.name={{test-volume}}.hostPath.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue" }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 67 + "line": 67, + "filename": "positive.yaml", + "resourceType": "CronJob", + "resourceName": "hello", + "searchKey": "metadata.name={{hello}}.spec.jobTemplate.spec.template.spec.volumes.name={{test-volume}}.hostPath.path", + "searchValue": "", + "expectedValue": "metadata.name={{hello}}.spec.jobTemplate.spec.template.spec.volumes.name={{test-volume}}.hostPath.path should not be '/var/run/docker.sock'", + "actualValue": "metadata.name={{hello}}.spec.jobTemplate.spec.template.spec.volumes.name={{test-volume}}.hostPath.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/encryption_provider_config_is_not_defined/test/positive_expected_result.json b/assets/queries/k8s/encryption_provider_config_is_not_defined/test/positive_expected_result.json index 32144a1d9ff..912cb3859a7 100644 --- a/assets/queries/k8s/encryption_provider_config_is_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/encryption_provider_config_is_not_defined/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Encryption Provider Config Is Not Defined", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - } + { + "queryName": "Encryption Provider Config Is Not Defined", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--encryption-provider-config flag should be defined", + "actualValue": "--encryption-provider-config flag is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/encryption_provider_not_properly_configured/test/positive_expected_result.json b/assets/queries/k8s/encryption_provider_not_properly_configured/test/positive_expected_result.json index 8f74ab86fd4..754d64a15f6 100644 --- a/assets/queries/k8s/encryption_provider_not_properly_configured/test/positive_expected_result.json +++ b/assets/queries/k8s/encryption_provider_not_properly_configured/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Encryption Provider Not Properly Configured", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive1.yaml" - } + { + "queryName": "Encryption Provider Not Properly Configured", + "severity": "MEDIUM", + "line": 6, + "filename": "positive1.yaml", + "resourceType": "EncryptionConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{EncryptionConfiguration}}.providers", + "searchValue": "", + "expectedValue": "aescbc, kms or secretbox provider should be defined", + "actualValue": "aescbc, kms or secretbox provider is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/ensure_administrative_boundaries_between_resources/test/positive_expected_result.json b/assets/queries/k8s/ensure_administrative_boundaries_between_resources/test/positive_expected_result.json index 90ca7d5c875..02d4bb7bfc5 100644 --- a/assets/queries/k8s/ensure_administrative_boundaries_between_resources/test/positive_expected_result.json +++ b/assets/queries/k8s/ensure_administrative_boundaries_between_resources/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Ensure Administrative Boundaries Between Resources", - "severity": "INFO", - "line": 5, - "fileName": "positive.yaml" - } + { + "queryName": "Ensure Administrative Boundaries Between Resources", + "severity": "INFO", + "line": 5, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.namespace={{cosmic-namespace}}", + "searchValue": "", + "expectedValue": "ensure that these namespaces are the ones you need and are adequately administered as per your requirements.", + "actualValue": "namespaces in use: cosmic-namespace", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/test/positive_expected_result.json index 6d3c14dce1b..d7f69b895de 100644 --- a/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Etcd Client Certificate Authentication Set To False", - "severity": "MEDIUM", - "line": 21, - "fileName": "positive1.yaml" - }, - { - "queryName": "Etcd Client Certificate Authentication Set To False", - "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.yaml" - } + { + "queryName": "Etcd Client Certificate Authentication Set To False", + "severity": "MEDIUM", + "line": 21, + "filename": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "", + "expectedValue": "--client-cert-auth flag should be set to true", + "actualValue": "--client-cert-auth flag is set to false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Etcd Client Certificate Authentication Set To False", + "severity": "MEDIUM", + "line": 21, + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "", + "expectedValue": "--client-cert-auth flag should be defined and set to true", + "actualValue": "--client-cert-auth flag is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/etcd_client_certificate_file_not_defined/test/positive_expected_result.json b/assets/queries/k8s/etcd_client_certificate_file_not_defined/test/positive_expected_result.json index 7a9969fbe96..3c24b50c023 100644 --- a/assets/queries/k8s/etcd_client_certificate_file_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_client_certificate_file_not_defined/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Etcd Client Certificate File Not Defined", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - } + { + "queryName": "Etcd Client Certificate File Not Defined", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--etcd-cafile flag should be defined", + "actualValue": "--etcd-cafile flag is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/test/positive_expected_result.json index 968c9fab2a9..34d547c30b6 100644 --- a/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Etcd Peer Client Certificate Authentication Set To False", - "severity": "MEDIUM", - "line": 21, - "fileName": "positive1.yaml" - }, - { - "queryName": "Etcd Peer Client Certificate Authentication Set To False", - "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.yaml" - } + { + "queryName": "Etcd Peer Client Certificate Authentication Set To False", + "severity": "MEDIUM", + "line": 21, + "filename": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "", + "expectedValue": "--peer-client-cert-auth flag should be set to true", + "actualValue": "--peer-client-cert-auth flag is set to false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Etcd Peer Client Certificate Authentication Set To False", + "severity": "MEDIUM", + "line": 21, + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "", + "expectedValue": "--peer-client-cert-auth flag should be defined and set to true", + "actualValue": "--peer-client-cert-auth flag is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/test/positive_expected_result.json index 6c81f41de7e..6f94672c4e0 100644 --- a/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Etcd Peer TLS Certificate Files Not Properly Set", "severity": "HIGH", "line": 21, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "Deployment--peer-key-file", + "expectedValue": "--peer-key-file flag should be defined", + "actualValue": "--peer-key-file flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Etcd Peer TLS Certificate Files Not Properly Set", "severity": "HIGH", "line": 46, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment2", + "searchKey": "metadata.name={{app-etcd-deployment2}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "Deployment--peer-cert-file", + "expectedValue": "--peer-cert-file flag should be defined", + "actualValue": "--peer-cert-file flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Etcd Peer TLS Certificate Files Not Properly Set", "severity": "HIGH", "line": 21, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "Deployment--peer-cert-file", + "expectedValue": "--peer-cert-file flag should be defined", + "actualValue": "--peer-cert-file flag is not defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/test/positive_expected_result.json index 2894ecb6935..f5f8792830f 100644 --- a/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Etcd TLS Certificate Files Not Properly Set", "severity": "MEDIUM", "line": 21, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "Deployment--key-file", + "expectedValue": "--key-file flag should be defined", + "actualValue": "--key-file flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Etcd TLS Certificate Files Not Properly Set", "severity": "MEDIUM", "line": 46, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment2", + "searchKey": "metadata.name={{app-etcd-deployment2}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "Deployment--key-file", + "expectedValue": "--key-file flag should be defined", + "actualValue": "--key-file flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Etcd TLS Certificate Files Not Properly Set", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "Deployment--cert-file", + "expectedValue": "--cert-file flag should be defined", + "actualValue": "--cert-file flag is not defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/test/positive_expected_result.json b/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/test/positive_expected_result.json index ec4e7429b21..e8ecce52052 100644 --- a/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Etcd TLS Certificate Not Properly Configured", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--etcd-certfile", + "expectedValue": "--etcd-certfile flag should be defined", + "actualValue": "--etcd-certfile flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Etcd TLS Certificate Not Properly Configured", "severity": "MEDIUM", "line": 25, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo2", + "searchKey": "metadata.name={{command-demo2}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--etcd-keyfile", + "expectedValue": "--etcd-keyfile flag should be defined", + "actualValue": "--etcd-keyfile flag is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Etcd TLS Certificate Not Properly Configured", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--etcd-keyfile", + "expectedValue": "--etcd-keyfile flag should be defined", + "actualValue": "--etcd-keyfile flag is not defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/test/positive_expected_result.json index a668b988671..84e3c9ca56d 100644 --- a/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Event Rate Limit Admission Control Plugin Not Set", - "severity": "LOW", - "line": 11, - "fileName": "positive1.yaml" - } + { + "queryName": "Event Rate Limit Admission Control Plugin Not Set", + "severity": "LOW", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--enable-admission-plugins flag should contain 'EventRateLimit' plugin", + "actualValue": "--enable-admission-plugins flag does not contain 'EventRateLimit' plugin", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/test/positive_expected_result.json b/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/test/positive_expected_result.json index d1981d9c340..3df547c4461 100644 --- a/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/test/positive_expected_result.json +++ b/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "HPA Targeted Deployments With Configured Replica Count", "severity": "INFO", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "php-apache-1", + "searchKey": "metadata.name={{php-apache-1}}.spec.replicas", + "searchValue": "", + "expectedValue": "metadata.name={{php-apache-1}}.spec.replicas should be undefined", + "actualValue": "metadata.name={{php-apache-1}}.spec.replicas is defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/hpa_targets_invalid_object/test/positive_expected_result.json b/assets/queries/k8s/hpa_targets_invalid_object/test/positive_expected_result.json index 0ca04478879..d316462049d 100644 --- a/assets/queries/k8s/hpa_targets_invalid_object/test/positive_expected_result.json +++ b/assets/queries/k8s/hpa_targets_invalid_object/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "HPA Targets Invalid Object", - "severity": "LOW", - "line": 12 - } + { + "queryName": "HPA Targets Invalid Object", + "severity": "LOW", + "line": 12, + "filename": "positive.yaml", + "resourceType": "HorizontalPodAutoscaler", + "resourceName": "php-apache", + "searchKey": "spec.metrics", + "searchValue": "", + "expectedValue": "spec.metrics[0] is a valid object ", + "actualValue": "spec.metrics[0] is an invalid object ", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/test/positive_expected_result.json index a4059658917..8f9d5e1d48f 100644 --- a/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Image Policy Webhook Admission Control Plugin Not Set", - "severity": "LOW", - "line": 11, - "fileName": "positive1.yaml" - } + { + "queryName": "Image Policy Webhook Admission Control Plugin Not Set", + "severity": "LOW", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--enable-admission-plugins flag should contain 'ImagePolicyWebhook' plugin", + "actualValue": "--enable-admission-plugins flag does not contain 'ImagePolicyWebhook' plugin", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json b/assets/queries/k8s/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json index 5cbf7249971..37f3c034ba0 100644 --- a/assets/queries/k8s/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json +++ b/assets/queries/k8s/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json @@ -1,20 +1,41 @@ [ - { - "queryName": "Image Pull Policy Of The Container Is Not Set To Always", - "severity": "LOW", - "line": 9, - "fileName": "positive1.yaml" - }, - { - "queryName": "Image Pull Policy Of The Container Is Not Set To Always", - "severity": "LOW", - "line": 18, - "fileName": "positive2.yaml" - }, - { - "queryName": "Image Pull Policy Of The Container Is Not Set To Always", - "severity": "LOW", - "line": 16, - "fileName": "positive3.yaml" - } + { + "queryName": "Image Pull Policy Of The Container Is Not Set To Always", + "severity": "LOW", + "line": 9, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "private-image-test-always", + "searchKey": "metadata.name={{private-image-test-always}}.spec.containers.name={{uses-private-image}}.imagePullPolicy", + "searchValue": "Pod", + "expectedValue": "metadata.name={{private-image-test-always}}.spec.containers.name={{uses-private-image}}.imagePullPolicy should be set to 'Always'", + "actualValue": "metadata.name={{private-image-test-always}}.spec.containers.name={{uses-private-image}}.imagePullPolicy relies on mutable images in cache", + "issueType": "IncorrectValue" + }, + { + "queryName": "Image Pull Policy Of The Container Is Not Set To Always", + "severity": "LOW", + "line": 18, + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "deployment-with-image-pull-policy", + "searchKey": "metadata.name={{deployment-with-image-pull-policy}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{deployment-with-image-pull-policy}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy should be set to 'Always'", + "actualValue": "metadata.name={{deployment-with-image-pull-policy}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy relies on mutable images in cache", + "issueType": "IncorrectValue" + }, + { + "queryName": "Image Pull Policy Of The Container Is Not Set To Always", + "severity": "LOW", + "line": 16, + "filename": "positive3.yaml", + "resourceType": "Deployment", + "resourceName": "deployment-with-image-pull-policy1", + "searchKey": "metadata.name={{deployment-with-image-pull-policy1}}.spec.template.spec.containers.name={{nginx}}", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{deployment-with-image-pull-policy1}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy should be set to 'Always'", + "actualValue": "metadata.name={{deployment-with-image-pull-policy1}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy relies on mutable images in cache", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/image_without_digest/test/positive_expected_result.json b/assets/queries/k8s/image_without_digest/test/positive_expected_result.json index e4028708fbc..7ccfd4bfc1a 100644 --- a/assets/queries/k8s/image_without_digest/test/positive_expected_result.json +++ b/assets/queries/k8s/image_without_digest/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Image Without Digest", "severity": "LOW", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "private-image-test-1", + "searchKey": "metadata.name={{private-image-test-1}}.spec.containers.name={{uses-private-image}}.image", + "searchValue": "Pod", + "expectedValue": "metadata.name={{private-image-test-1}}.spec.containers.name={{uses-private-image}}.image should specify the image with a digest", + "actualValue": "metadata.name={{private-image-test-1}}.spec.containers.name={{uses-private-image}}.image does not include an image digest", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json b/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json index 8a5e62a2f23..70fcbcbfc14 100644 --- a/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json +++ b/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ - { - "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", - "severity": "MEDIUM", - "line": 27 - }, - { - "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", - "severity": "MEDIUM", - "line": 72 - } + { + "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", + "severity": "MEDIUM", + "line": 27, + "filename": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "web", + "searchKey": "metadata.name=web.spec.volumeClaimTemplates", + "searchValue": "", + "expectedValue": "metadata.name=web.spec.volumeClaimTemplates has only one template with a 'ReadWriteOnce'", + "actualValue": "metadata.name=web.spec.volumeClaimTemplates has multiple templates with 'ReadWriteOnce'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", + "severity": "MEDIUM", + "line": 72, + "filename": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "web2", + "searchKey": "metadata.name=web2.spec.volumeClaimTemplates", + "searchValue": "", + "expectedValue": "metadata.name=web2.spec.volumeClaimTemplates has one template with a 'ReadWriteOnce'", + "actualValue": "metadata.name=web2.spec.volumeClaimTemplates does not have a template with a 'ReadWriteOnce'", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/ingress_controller_exposes_workload/test/positive_expected_result.json b/assets/queries/k8s/ingress_controller_exposes_workload/test/positive_expected_result.json index cd39ebbc112..2866e0565ec 100644 --- a/assets/queries/k8s/ingress_controller_exposes_workload/test/positive_expected_result.json +++ b/assets/queries/k8s/ingress_controller_exposes_workload/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "Ingress Controller Exposes Workload", - "severity": "MEDIUM", - "line": 31 - } + { + "queryName": "Ingress Controller Exposes Workload", + "severity": "MEDIUM", + "line": 31, + "filename": "positive.yaml", + "resourceType": "Ingress", + "resourceName": "app-ingress", + "searchKey": "metadata.name={{app-ingress}}.spec.rules.http.paths.backend", + "searchValue": "", + "expectedValue": "metadata.name=app-ingress should not be exposing the workload", + "actualValue": "metadata.name=app-ingress is exposing the workload", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/insecure_bind_address_set/test/positive_expected_result.json b/assets/queries/k8s/insecure_bind_address_set/test/positive_expected_result.json index 5ad480dadd1..3024c1a316e 100644 --- a/assets/queries/k8s/insecure_bind_address_set/test/positive_expected_result.json +++ b/assets/queries/k8s/insecure_bind_address_set/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Insecure Bind Address Set", "severity": "HIGH", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--insecure-bind-address flag should not be set", + "actualValue": "--insecure-bind-address flag is set", + "issueType": "IncorrectValue" }, { "queryName": "Insecure Bind Address Set", "severity": "HIGH", "line": 11, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--insecure-bind-address flag should not be set", + "actualValue": "--insecure-bind-address flag is set", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/insecure_port_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/insecure_port_not_properly_set/test/positive_expected_result.json index 0220b09dd9d..f1825fc2200 100644 --- a/assets/queries/k8s/insecure_port_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/insecure_port_not_properly_set/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Insecure Port Not Properly Set", "severity": "HIGH", "line": 11, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--insecure-port flag should be set to 0", + "actualValue": "--insecure-port flag is not properly set", + "issueType": "IncorrectValue" }, { "queryName": "Insecure Port Not Properly Set", "severity": "HIGH", "line": 11, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--insecure-port flag should be defined and set to 0", + "actualValue": "--insecure-port flag is not defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/k8s/invalid_image/test/positive_expected_result.json b/assets/queries/k8s/invalid_image/test/positive_expected_result.json index e0493f320e4..d9a17432255 100644 --- a/assets/queries/k8s/invalid_image/test/positive_expected_result.json +++ b/assets/queries/k8s/invalid_image/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Invalid Image Tag", "severity": "LOW", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "private-image-test-3", + "searchKey": "metadata.name={{private-image-test-3}}.spec.containers.name={{uses-private-image-container}}.image", + "searchValue": "", + "expectedValue": "metadata.name={{private-image-test-3}}.spec.containers.name={{uses-private-image-container}}.image tag is provided and not latest", + "actualValue": "metadata.name={{private-image-test-3}}.spec.containers.name={{uses-private-image-container}}.image tag is not provided or latest", + "issueType": "MissingAttribute" }, { "queryName": "Invalid Image Tag", "severity": "LOW", - "line": 19 + "line": 19, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "private-image-test-33", + "searchKey": "metadata.name={{private-image-test-33}}.spec.containers.name={{uses-private-image-container}}.image", + "searchValue": "", + "expectedValue": "metadata.name={{private-image-test-33}}.spec.containers.name={{uses-private-image-container}}.image tag is provided and not latest", + "actualValue": "metadata.name={{private-image-test-33}}.spec.containers.name={{uses-private-image-container}}.image tag is not provided or latest", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/k8s/kubelet_certificate_authority_not_set/test/positive_expected_result.json b/assets/queries/k8s/kubelet_certificate_authority_not_set/test/positive_expected_result.json index fbd6365dacf..5781c68f742 100644 --- a/assets/queries/k8s/kubelet_certificate_authority_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_certificate_authority_not_set/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Kubelet Certificate Authority Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--kubelet-certificate-authority flag should be set", + "actualValue": "--kubelet-certificate-authority flag is not set", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/test/positive_expected_result.json b/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/test/positive_expected_result.json index 56e7122183a..12c28b071fd 100644 --- a/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "Kubelet Client Certificate Or Key Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--kubelet-client-certificate", + "expectedValue": "--kubelet-client-certificate flag should be set", + "actualValue": "--kubelet-client-certificate flag is not set", + "issueType": "MissingAttribute" }, { "queryName": "Kubelet Client Certificate Or Key Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--kubelet-client-key", + "expectedValue": "--kubelet-client-key flag should be set", + "actualValue": "--kubelet-client-key flag is not set", + "issueType": "MissingAttribute" }, { "queryName": "Kubelet Client Certificate Or Key Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--kubelet-client-key", + "expectedValue": "--kubelet-client-key flag should be set", + "actualValue": "--kubelet-client-key flag is not set", + "issueType": "MissingAttribute" }, { "queryName": "Kubelet Client Certificate Or Key Not Set", "severity": "MEDIUM", "line": 25, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo2", + "searchKey": "metadata.name={{command-demo2}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--kubelet-client-certificate", + "expectedValue": "--kubelet-client-certificate flag should be set", + "actualValue": "--kubelet-client-certificate flag is not set", + "issueType": "MissingAttribute" }, { "queryName": "Kubelet Client Certificate Or Key Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--kubelet-client-certificate", + "expectedValue": "--kubelet-client-certificate flag should be set", + "actualValue": "--kubelet-client-certificate flag is not set", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive_expected_result.json b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive_expected_result.json index 186ed212f02..969189d456a 100644 --- a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ - { - "queryName": "Kubelet Client Periodic Certificate Switch Disabled", - "severity": "MEDIUM", - "line": 2, - "filename": "positive4.yaml" - }, - { - "queryName": "Kubelet Client Periodic Certificate Switch Disabled", - "severity": "MEDIUM", - "line": 8, - "filename": "positive2.yaml" - }, - { - "queryName": "Kubelet Client Periodic Certificate Switch Disabled", - "severity": "MEDIUM", - "line": 11, - "filename": "positive1.yaml" - }, - { - "queryName": "Kubelet Client Periodic Certificate Switch Disabled", - "severity": "MEDIUM", - "line": 6, - "filename": "positive3.json" - } + { + "queryName": "Kubelet Client Periodic Certificate Switch Disabled", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--rotate-certificates flag should be true", + "actualValue": "--rotate-certificates flag is false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Kubelet Client Periodic Certificate Switch Disabled", + "severity": "MEDIUM", + "line": 8, + "filename": "positive2.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.rotateCertificates", + "searchValue": "", + "expectedValue": "rotateCertificates should be true", + "actualValue": "rotateCertificates is false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Kubelet Client Periodic Certificate Switch Disabled", + "severity": "MEDIUM", + "line": 6, + "filename": "positive3.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.rotateCertificates", + "searchValue": "", + "expectedValue": "rotateCertificates should be true", + "actualValue": "rotateCertificates is not set (default is false)", + "issueType": "MissingAttribute" + }, + { + "queryName": "Kubelet Client Periodic Certificate Switch Disabled", + "severity": "MEDIUM", + "line": 2, + "filename": "positive4.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.rotateCertificates", + "searchValue": "", + "expectedValue": "rotateCertificates should be true", + "actualValue": "rotateCertificates is not set (default is false)", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive_expected_result.json index cbbfd67cb87..cf82906b7be 100644 --- a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ - { - "queryName": "Kubelet Event QPS Not Properly Set", - "severity": "LOW", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Kubelet Event QPS Not Properly Set", - "severity": "LOW", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Kubelet Event QPS Not Properly Set", - "severity": "LOW", - "line": 5, - "fileName": "positive3.yaml" - }, - { - "queryName": "Kubelet Event QPS Not Properly Set", - "severity": "LOW", - "line": 2, - "fileName": "positive4.yaml" - } + { + "queryName": "Kubelet Event QPS Not Properly Set", + "severity": "LOW", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--event-qps flag should be set to 0", + "actualValue": "--event-qps flag is not set to 0", + "issueType": "IncorrectValue" + }, + { + "queryName": "Kubelet Event QPS Not Properly Set", + "severity": "LOW", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--event-qps flag should be set to 0", + "actualValue": "--event-qps flag is not set to 0", + "issueType": "IncorrectValue" + }, + { + "queryName": "Kubelet Event QPS Not Properly Set", + "severity": "LOW", + "line": 5, + "filename": "positive3.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.eventRecordQPS", + "searchValue": "", + "expectedValue": "eventRecordQPS flag should set to 0", + "actualValue": "eventRecordQPS flag is not set to 0", + "issueType": "IncorrectValue" + }, + { + "queryName": "Kubelet Event QPS Not Properly Set", + "severity": "LOW", + "line": 2, + "filename": "positive4.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "", + "expectedValue": "eventRecordQPS flag should set to 0", + "actualValue": "eventRecordQPS flag is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive_expected_result.json b/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive_expected_result.json index 130b1b46734..36c70b5a958 100644 --- a/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Kubelet Hostname Override Is Set", - "severity": "LOW", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Kubelet Hostname Override Is Set", - "severity": "LOW", - "line": 11, - "fileName": "positive2.yaml" - } + { + "queryName": "Kubelet Hostname Override Is Set", + "severity": "LOW", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--hostname-override= flag should not be defined", + "actualValue": "--hostname-override= flag is defined", + "issueType": "IncorrectValue" + }, + { + "queryName": "Kubelet Hostname Override Is Set", + "severity": "LOW", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--hostname-override= flag should not be defined", + "actualValue": "--hostname-override= flag is defined", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/kubelet_https_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/kubelet_https_set_to_false/test/positive_expected_result.json index d63831fc18f..b7d9b70b0ab 100644 --- a/assets/queries/k8s/kubelet_https_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_https_set_to_false/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Kubelet HTTPS Set To False", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--kubelet-https flag should be set to true or not be defined", + "actualValue": "--kubelet-https flag is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive_expected_result.json b/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive_expected_result.json index 2774b893079..26d3ca76597 100644 --- a/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive_expected_result.json @@ -1,20 +1,41 @@ [ - { - "queryName": "Kubelet Not Managing Ip Tables", - "severity": "MEDIUM", - "line": 11, - "filename": "positive1.yaml" - }, - { - "queryName": "Kubelet Not Managing Ip Tables", - "severity": "MEDIUM", - "line": 8, - "filename": "positive2.yaml" - }, - { - "queryName": "Kubelet Not Managing Ip Tables", - "severity": "MEDIUM", - "line": 7, - "filename": "positive3.json" - } - ] + { + "queryName": "Kubelet Not Managing Ip Tables", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--make-iptables-util-chains flag should be true", + "actualValue": "--make-iptables-util-chains= flag is false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Kubelet Not Managing Ip Tables", + "severity": "MEDIUM", + "line": 8, + "filename": "positive2.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.makeIPTablesUtilChains", + "searchValue": "", + "expectedValue": "makeIPTablesUtilChains should be true", + "actualValue": "makeIPTablesUtilChains is false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Kubelet Not Managing Ip Tables", + "severity": "MEDIUM", + "line": 7, + "filename": "positive3.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.makeIPTablesUtilChains", + "searchValue": "", + "expectedValue": "makeIPTablesUtilChains should be true", + "actualValue": "makeIPTablesUtilChains is false", + "issueType": "IncorrectValue" + } +] diff --git a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive_expected_result.json index ada1cee8bcc..477a469bffa 100644 --- a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ - { - "queryName": "Kubelet Protect Kernel Defaults Set To False", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Kubelet Protect Kernel Defaults Set To False", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Kubelet Protect Kernel Defaults Set To False", - "severity": "MEDIUM", - "line": 5, - "fileName": "positive3.yaml" - }, - { - "queryName": "Kubelet Protect Kernel Defaults Set To False", - "severity": "MEDIUM", - "line": 2, - "fileName": "positive4.yaml" - } + { + "queryName": "Kubelet Protect Kernel Defaults Set To False", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--protect-kernel-defaults flag should not be set to false", + "actualValue": "--protect-kernel-defaults flag is set to false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Kubelet Protect Kernel Defaults Set To False", + "severity": "MEDIUM", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--protect-kernel-defaults flag should not be set to false", + "actualValue": "--protect-kernel-defaults flag is set to false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Kubelet Protect Kernel Defaults Set To False", + "severity": "MEDIUM", + "line": 5, + "filename": "positive3.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.protectKernelDefaults", + "searchValue": "", + "expectedValue": "protectKernelDefaults flag should defined to true", + "actualValue": "protectKernelDefaults flag is set to false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Kubelet Protect Kernel Defaults Set To False", + "severity": "MEDIUM", + "line": 2, + "filename": "positive4.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "", + "expectedValue": "protectKernelDefaults flag should defined to true", + "actualValue": "protectKernelDefaults flag is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive_expected_result.json b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive_expected_result.json index 8216d07cc52..200d09bc55e 100644 --- a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Kubelet Read Only Port Is Not Set To Zero", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--read-only-port flag should be '0'", + "actualValue": "--read-only-port flag is not set to '0'", + "issueType": "IncorrectValue" }, { "queryName": "Kubelet Read Only Port Is Not Set To Zero", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--read-only-port flag should be '0'", + "actualValue": "--read-only-port flag is not set to '0'", + "issueType": "IncorrectValue" }, { "queryName": "Kubelet Read Only Port Is Not Set To Zero", "severity": "MEDIUM", "line": 8, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.readOnlyPort", + "searchValue": "", + "expectedValue": "readOnlyPort attribute to have value of 0", + "actualValue": "readOnlyPort attribute has value of 1", + "issueType": "IncorrectValue" }, { "queryName": "Kubelet Read Only Port Is Not Set To Zero", "severity": "MEDIUM", "line": 5, - "filename": "positive4.json" + "filename": "positive4.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.readOnlyPort", + "searchValue": "", + "expectedValue": "readOnlyPort attribute to have value of 0", + "actualValue": "readOnlyPort attribute has value of 1", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive_expected_result.json b/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive_expected_result.json index b566c96215a..cead41ef3b4 100644 --- a/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Kubelet Streaming Connection Timeout Disabled", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--streaming-connection-idle-timeout flag not should be 0", + "actualValue": "--streaming-connection-idle-timeout flag is 0", + "issueType": "IncorrectValue" }, { "queryName": "Kubelet Streaming Connection Timeout Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.streamingConnectionIdleTimeout", + "searchValue": "", + "expectedValue": "streamingConnectionIdleTimeout not should be 0s", + "actualValue": "streamingConnectionIdleTimeout is 0s", + "issueType": "IncorrectValue" }, { "queryName": "Kubelet Streaming Connection Timeout Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.streamingConnectionIdleTimeout", + "searchValue": "", + "expectedValue": "streamingConnectionIdleTimeout not should be 0s", + "actualValue": "streamingConnectionIdleTimeout is 0s", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/liveness_probe_is_not_defined/test/positive_expected_result.json b/assets/queries/k8s/liveness_probe_is_not_defined/test/positive_expected_result.json index 81ec960d567..8f67bc72813 100644 --- a/assets/queries/k8s/liveness_probe_is_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/liveness_probe_is_not_defined/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Liveness Probe Is Not Defined", "severity": "INFO", "line": 9, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "liveness-exec", + "searchKey": "metadata.name={{liveness-exec}}.spec.containers.name={{liveness}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{liveness-exec}}.spec.containers.name={{liveness}}.livenessProbe should be defined", + "actualValue": "metadata.name={{liveness-exec}}.spec.containers.name={{liveness}}.livenessProbe is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/memory_limits_not_defined/test/positive_expected_result.json b/assets/queries/k8s/memory_limits_not_defined/test/positive_expected_result.json index d58246a8c5f..36f251aa9bc 100644 --- a/assets/queries/k8s/memory_limits_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/memory_limits_not_defined/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo-1", + "searchKey": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr}}", + "searchValue": "", + "expectedValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory should be defined", + "actualValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", "line": 23, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo-2", + "searchKey": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr}}", + "searchValue": "", + "expectedValue": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory should be defined", + "actualValue": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", "line": 38, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo-3", + "searchKey": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr}}", + "searchValue": "", + "expectedValue": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory should be defined", + "actualValue": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", "line": 57, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo-4", + "searchKey": "metadata.name={{memory-demo-4}}.spec.containers.name={{memory-demo-ctr}}", + "searchValue": "", + "expectedValue": "metadata.name={{memory-demo-4}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory should be defined", + "actualValue": "metadata.name={{memory-demo-4}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "test-deployment", + "searchKey": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}", + "searchValue": "", + "expectedValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.resources.limits.memory should be defined", + "actualValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.resources.limits.memory is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/k8s/memory_requests_not_defined/test/positive_expected_result.json b/assets/queries/k8s/memory_requests_not_defined/test/positive_expected_result.json index 5b0984b8d86..25797086a5f 100644 --- a/assets/queries/k8s/memory_requests_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/memory_requests_not_defined/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", "line": 13, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo", + "searchKey": "metadata.name={{memory-demo}}.spec.containers.name={{memory-demo-ctr-1}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{memory-demo}}.spec.containers.name={{memory-demo-ctr-1}}.resources.requests.memory should be defined", + "actualValue": "metadata.name={{memory-demo}}.spec.containers.name={{memory-demo-ctr-1}}.resources.requests.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", "line": 27, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo-1", + "searchKey": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr-2}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr-2}}.resources.requests.memory should be defined", + "actualValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr-2}}.resources.requests.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", "line": 40, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo-2", + "searchKey": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr-3}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr-3}}.resources.requests.memory should be defined", + "actualValue": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr-3}}.resources.requests.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", "line": 59, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo-3", + "searchKey": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr-4}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr-4}}.resources.requests.memory should be defined", + "actualValue": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr-4}}.resources.requests.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", "line": 20, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "test-deployment2", + "searchKey": "metadata.name={{test-deployment2}}.spec.template.spec.containers.name={{pause}}", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{test-deployment2}}.spec.template.spec.containers.name={{pause}}.resources.requests.memory should be defined", + "actualValue": "metadata.name={{test-deployment2}}.spec.template.spec.containers.name={{pause}}.resources.requests.memory is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/k8s/metadata_label_is_invalid/test/positive_expected_result.json b/assets/queries/k8s/metadata_label_is_invalid/test/positive_expected_result.json index 4602eb0db3e..018149001f2 100644 --- a/assets/queries/k8s/metadata_label_is_invalid/test/positive_expected_result.json +++ b/assets/queries/k8s/metadata_label_is_invalid/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Metadata Label Is Invalid", "severity": "LOW", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "goproxy", + "searchKey": "metadata.name={{goproxy}}.labels.app", + "searchValue": "Pod", + "expectedValue": "'metadata.labels.{{app}}' has valid label g**dy.l+bel.", + "actualValue": "'metadata.labels.{{app}}' has invalid label g**dy.l+bel.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/missing_app_armor_config/test/positive_expected_result.json b/assets/queries/k8s/missing_app_armor_config/test/positive_expected_result.json index 9750d762fc9..f26422b38fe 100644 --- a/assets/queries/k8s/missing_app_armor_config/test/positive_expected_result.json +++ b/assets/queries/k8s/missing_app_armor_config/test/positive_expected_result.json @@ -1,22 +1,54 @@ [ - { - "queryName": "Missing AppArmor Profile", - "severity": "LOW", - "line": 5 - }, - { - "queryName": "Missing AppArmor Profile", - "severity": "LOW", - "line": 5 - }, - { - "queryName": "Missing AppArmor Profile", - "severity": "LOW", - "line": 5 - }, - { - "queryName": "Missing AppArmor Profile", - "severity": "LOW", - "line": 36 - } + { + "queryName": "Missing AppArmor Profile", + "severity": "LOW", + "line": 5, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "hello-apparmor-1", + "searchKey": "metadata.name={{hello-apparmor-1}}", + "searchValue": "Podcontainer.apparmor.security.beta.kubernetes.io/hello1", + "expectedValue": "metadata.name={{hello-apparmor-1}}.annotations[container.apparmor.security.beta.kubernetes.io/hello1] should be set to 'runtime/default' or 'localhost'", + "actualValue": "metadata.name={{hello-apparmor-1}}.annotations[container.apparmor.security.beta.kubernetes.io/hello1] does not specify a valid AppArmor profile", + "issueType": "IncorrectValue" + }, + { + "queryName": "Missing AppArmor Profile", + "severity": "LOW", + "line": 5, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "hello-apparmor-1", + "searchKey": "metadata.name={{hello-apparmor-1}}", + "searchValue": "Podcontainer.apparmor.security.beta.kubernetes.io/hello2", + "expectedValue": "metadata.name={{hello-apparmor-1}}.annotations[container.apparmor.security.beta.kubernetes.io/hello2] should be set to 'runtime/default' or 'localhost'", + "actualValue": "metadata.name={{hello-apparmor-1}}.annotations[container.apparmor.security.beta.kubernetes.io/hello2] does not specify a valid AppArmor profile", + "issueType": "IncorrectValue" + }, + { + "queryName": "Missing AppArmor Profile", + "severity": "LOW", + "line": 5, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "hello-apparmor-1", + "searchKey": "metadata.name={{hello-apparmor-1}}.annotations", + "searchValue": "Podcontainers2", + "expectedValue": "metadata.name={{hello-apparmor-1}}.annotations should specify an AppArmor profile for container {{hello3}}", + "actualValue": "metadata.name={{hello-apparmor-1}}.annotations does not specify an AppArmor profile for container {{hello3}}", + "issueType": "MissingAttribute" + }, + { + "queryName": "Missing AppArmor Profile", + "severity": "LOW", + "line": 36, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "ubuntu-test1", + "searchKey": "metadata.name={{ubuntu-test1}}.spec.template.metadata", + "searchValue": "Deploymentcontainer.apparmor.security.beta.kubernetes.io/ubuntu-1-container", + "expectedValue": "metadata.name={{ubuntu-test1}}.spec.template.metadata.annotations[container.apparmor.security.beta.kubernetes.io/ubuntu-1-container] should be set to 'runtime/default' or 'localhost'", + "actualValue": "metadata.name={{ubuntu-test1}}.spec.template.metadata.annotations[container.apparmor.security.beta.kubernetes.io/ubuntu-1-container] does not specify a valid AppArmor profile", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/test/positive_expected_result.json b/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/test/positive_expected_result.json index 4b83ee1a4fc..cb763c90c49 100644 --- a/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Namespace Lifecycle Admission Control Plugin Disabled", - "severity": "LOW", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Namespace Lifecycle Admission Control Plugin Disabled", - "severity": "LOW", - "line": 11, - "fileName": "positive2.yaml" - } + { + "queryName": "Namespace Lifecycle Admission Control Plugin Disabled", + "severity": "LOW", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--disable-admission-plugins flag should not contain 'NamespaceLifecycle' plugin", + "actualValue": "--disable-admission-plugins flag contains 'NamespaceLifecycle' plugin", + "issueType": "IncorrectValue" + }, + { + "queryName": "Namespace Lifecycle Admission Control Plugin Disabled", + "severity": "LOW", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--disable-admission-plugins flag should not contain 'NamespaceLifecycle' plugin", + "actualValue": "--disable-admission-plugins flag contains 'NamespaceLifecycle' plugin", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json b/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json index 92cae458def..8314374f1e3 100644 --- a/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json +++ b/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "NET_RAW Capabilities Disabled for PSP", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec.requiredDropCapabilities", + "searchValue": "", + "expectedValue": "spec.requiredDropCapabilities 'is ALL or NET_RAW'", + "actualValue": "spec.requiredDropCapabilities 'is not ALL or NET_RAW'", + "issueType": "IncorrectValue" }, { "queryName": "NET_RAW Capabilities Disabled for PSP", "severity": "MEDIUM", - "line": 57 + "line": 57, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted2", + "searchKey": "metadata.name={{restricted2}}.spec.requiredDropCapabilities", + "searchValue": "", + "expectedValue": "spec.requiredDropCapabilities 'is ALL or NET_RAW'", + "actualValue": "spec.requiredDropCapabilities 'is not ALL or NET_RAW'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json b/assets/queries/k8s/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json index b850bf2243a..64986eddf4a 100644 --- a/assets/queries/k8s/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json +++ b/assets/queries/k8s/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.containers.name={{payment}}.securityContext.capabilities.drop", + "searchValue": "Pod", + "expectedValue": "metadata.name={{example}}.spec.containers.name={{payment}}.securityContext.capabilities.drop includes ALL or NET_RAW", + "actualValue": "metadata.name={{example}}.spec.containers.name={{payment}}.securityContext.capabilities.drop does not include ALL or NET_RAW", + "issueType": "IncorrectValue" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 18, - "fileName": "positive1.yaml" + "line": 13, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.containers.name={{payment2}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{example}}.spec.containers.name={{payment2}}.securityContext.capabilities.drop should be defined", + "actualValue": "metadata.name={{example}}.spec.containers.name={{payment2}}.securityContext.capabilities.drop is undefined", + "issueType": "MissingAttribute" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 23, - "fileName": "positive1.yaml" + "line": 18, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.containers.name={{payment4}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{example}}.spec.containers.name={{payment4}}.securityContext.capabilities.drop should be defined", + "actualValue": "metadata.name={{example}}.spec.containers.name={{payment4}}.securityContext.capabilities.drop is undefined", + "issueType": "MissingAttribute" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 13, - "fileName": "positive1.yaml" + "line": 23, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.containers.name={{payment3}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{example}}.spec.containers.name={{payment3}}.securityContext.capabilities.drop should be defined", + "actualValue": "metadata.name={{example}}.spec.containers.name={{payment3}}.securityContext.capabilities.drop is undefined", + "issueType": "MissingAttribute" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", "line": 31, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "redis-unhealthy-deployment", + "searchKey": "metadata.name={{redis-unhealthy-deployment}}.spec.template.spec.containers.name={{redis}}", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{redis-unhealthy-deployment}}.spec.template.spec.containers.name={{redis}}.securityContext.capabilities.drop should be defined", + "actualValue": "metadata.name={{redis-unhealthy-deployment}}.spec.template.spec.containers.name={{redis}}.securityContext.capabilities.drop is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/k8s/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json b/assets/queries/k8s/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json index bb09f21ab6f..4beacb587fa 100644 --- a/assets/queries/k8s/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json +++ b/assets/queries/k8s/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Network Policy Is Not Targeting Any Pod", "severity": "LOW", - "line": 22 + "line": 22, + "filename": "positive.yaml", + "resourceType": "NetworkPolicy", + "resourceName": "test-network-policy", + "searchKey": "metadata.name={{test-network-policy}}.spec.podSelector.matchLabels.app", + "searchValue": "", + "expectedValue": "'spec.podSelector.matchLabels.app' is targeting at least a pod", + "actualValue": "'spec.podSelector.matchLabels.app' is not targeting any pod", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/no_drop_capabilities_for_containers/test/positive_expected_result.json b/assets/queries/k8s/no_drop_capabilities_for_containers/test/positive_expected_result.json index c79222edd9c..18a33c6e2fa 100644 --- a/assets/queries/k8s/no_drop_capabilities_for_containers/test/positive_expected_result.json +++ b/assets/queries/k8s/no_drop_capabilities_for_containers/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", - "line": 21 + "line": 21, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "metadata.name={{nginx-deployment}}.spec.containers.name={{payment}}.securityContext.capabilities", + "searchValue": "Deployment", + "expectedValue": "spec.containers[payment].securityContext.capabilities.drop should be defined", + "actualValue": "spec.containers[payment].securityContext.capabilities.drop is not defined", + "issueType": "MissingAttribute" }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", - "line": 26 + "line": 26, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "metadata.name={{nginx-deployment}}.spec.containers.name={{payment2}}.securityContext", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{nginx-deployment}}.spec.containers.name={{payment2}}.securityContext.capabilities should be set", + "actualValue": "metadata.name={{nginx-deployment}}.spec.containers.name={{payment2}}.securityContext.capabilities is undefined", + "issueType": "MissingAttribute" }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", - "line": 28 + "line": 28, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "metadata.name={{nginx-deployment}}.spec.containers.name=payment3", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{nginx-deployment}}.spec.containers.name=payment3.securityContext should be set", + "actualValue": "metadata.name={{nginx-deployment}}.spec.containers.name=payment3.securityContext is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/test/positive_expected_result.json index 1a40d67c3d1..b4ed3a12d19 100644 --- a/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Node Restriction Admission Control Plugin Not Set", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--enable-admission-plugins flag should contain 'NodeRestriction' plugin", + "actualValue": "--enable-admission-plugins flag does not contain 'NodeRestriction' plugin", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/non_kube_system_pod_with_host_mount/test/positive_expected_result.json b/assets/queries/k8s/non_kube_system_pod_with_host_mount/test/positive_expected_result.json index 860b273c2d4..5ca0a63d3d1 100644 --- a/assets/queries/k8s/non_kube_system_pod_with_host_mount/test/positive_expected_result.json +++ b/assets/queries/k8s/non_kube_system_pod_with_host_mount/test/positive_expected_result.json @@ -2,46 +2,118 @@ { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 40 + "line": 40, + "filename": "positive.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "metadata.name={{fluentd-elasticsearch}}.spec.template.spec.volumes.name={{varlog}}.hostPath.path", + "searchValue": "", + "expectedValue": "Resource name 'fluentd-elasticsearch' of kind 'DaemonSet' in non kube-system namespace 'default' should not have hostPath '/var/log' mounted", + "actualValue": "Resource name 'fluentd-elasticsearch' of kind 'DaemonSet' in non kube-system namespace 'default' has a hostPath '/var/log' mounted", + "issueType": "IncorrectValue" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 43 + "line": 43, + "filename": "positive.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "metadata.name={{fluentd-elasticsearch}}.spec.template.spec.volumes.name={{varlibdockercontainers}}.hostPath.path", + "searchValue": "", + "expectedValue": "Resource name 'fluentd-elasticsearch' of kind 'DaemonSet' in non kube-system namespace 'default' should not have hostPath '/var/lib/docker/containers' mounted", + "actualValue": "Resource name 'fluentd-elasticsearch' of kind 'DaemonSet' in non kube-system namespace 'default' has a hostPath '/var/lib/docker/containers' mounted", + "issueType": "IncorrectValue" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 59 + "line": 59, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "redis", + "searchKey": "metadata.name={{redis}}.spec.volumes.name={{redis-storage}}.hostPath.path", + "searchValue": "", + "expectedValue": "Resource name 'redis' of kind 'Pod' in non kube-system namespace 'default' should not have hostPath '/var/redis/data' mounted", + "actualValue": "Resource name 'redis' of kind 'Pod' in non kube-system namespace 'default' has a hostPath '/var/redis/data' mounted", + "issueType": "IncorrectValue" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 76 + "line": 76, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "redis-memcache", + "searchKey": "metadata.name={{redis-memcache}}.spec.volumes.name={{redis-storage}}.hostPath.path", + "searchValue": "", + "expectedValue": "Resource name 'redis-memcache' of kind 'Pod' in non kube-system namespace 'memcache' should not have hostPath '/var/redis/data' mounted", + "actualValue": "Resource name 'redis-memcache' of kind 'Pod' in non kube-system namespace 'memcache' has a hostPath '/var/redis/data' mounted", + "issueType": "IncorrectValue" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 106 + "line": 106, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "metadata.name={{nginx-deployment}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", + "searchValue": "", + "expectedValue": "Resource name 'nginx-deployment' of kind 'Deployment' in non kube-system namespace 'default' should not have hostPath '/var/local/static' mounted", + "actualValue": "Resource name 'nginx-deployment' of kind 'Deployment' in non kube-system namespace 'default' has a hostPath '/var/local/static' mounted", + "issueType": "IncorrectValue" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 136 + "line": 136, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment-undefined-ns", + "searchKey": "metadata.name={{nginx-deployment-undefined-ns}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", + "searchValue": "", + "expectedValue": "Resource name 'nginx-deployment-undefined-ns' of kind 'Deployment' in a non kube-system namespace 'default' should not have hostPath '/var/local/static' mounted", + "actualValue": "Resource name 'nginx-deployment-undefined-ns' of kind 'Deployment' in a non kube-system namespace 'default' has a hostPath '/var/local/static' mounted", + "issueType": "IncorrectValue" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 153 + "line": 153, + "filename": "positive.yaml", + "resourceType": "PersistentVolume", + "resourceName": "pv-001", + "searchKey": "metadata.name={{pv-001}}.spec.hostPath.path", + "searchValue": "", + "expectedValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' in non kube-system namespace 'default' should not mount a host sensitive OS directory '/' with hostPath", + "actualValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' in non kube-system namespace 'default' is mounting a host sensitive OS directory '/' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 168 + "line": 168, + "filename": "positive.yaml", + "resourceType": "PersistentVolume", + "resourceName": "pv-002", + "searchKey": "metadata.name={{pv-002}}.hostPath.path", + "searchValue": "", + "expectedValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' in non kube-system namespace 'default' should not mount a host sensitive OS directory '/boot' with hostPath", + "actualValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' in non kube-system namespace 'default' is mounting a host sensitive OS directory '/boot' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 185 + "line": 185, + "filename": "positive.yaml", + "resourceType": "Revision", + "resourceName": "dummy-rev", + "searchKey": "metadata.name={{dummy-rev}}.spec.volumes.name={{redis-storage}}.hostPath.path", + "searchValue": "", + "expectedValue": "Resource name 'dummy-rev' of kind 'Revision' in non kube-system namespace 'knative-sequence' should not have hostPath '/var/redis/data' mounted", + "actualValue": "Resource name 'dummy-rev' of kind 'Revision' in non kube-system namespace 'knative-sequence' has a hostPath '/var/redis/data' mounted", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/test/positive_expected_result.json b/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/test/positive_expected_result.json index 9bddecf306a..59d1a8bfc24 100644 --- a/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/test/positive_expected_result.json +++ b/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Not Limited Capabilities For Pod Security Policy", "severity": "INFO", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec", + "searchValue": "", + "expectedValue": "metadata.name={{restricted}}.spec.requiredDropCapabilities should be defined", + "actualValue": "metadata.name={{restricted}}.spec.requiredDropCapabilities is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/not_unique_certificate_authority/test/positive_expected_result.json b/assets/queries/k8s/not_unique_certificate_authority/test/positive_expected_result.json index 6b7e077664a..7a6d154af0e 100644 --- a/assets/queries/k8s/not_unique_certificate_authority/test/positive_expected_result.json +++ b/assets/queries/k8s/not_unique_certificate_authority/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Not Unique Certificate Authority", - "severity": "MEDIUM", - "line": 22, - "filename": "positive1.yaml" - } + { + "queryName": "Not Unique Certificate Authority", + "severity": "MEDIUM", + "line": 22, + "filename": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "database", + "searchKey": "metadata.name={{database}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "", + "expectedValue": "Trusted Certificate Authentication File should not be the same of a Client Certificate Authentication File", + "actualValue": "Trusted Certificate Authentication File is the same of a Client Certificate Authentication File", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/object_is_using_a_deprecated_api_version/test/positive_expected_result.json b/assets/queries/k8s/object_is_using_a_deprecated_api_version/test/positive_expected_result.json index aeea421e766..42939bc2cea 100644 --- a/assets/queries/k8s/object_is_using_a_deprecated_api_version/test/positive_expected_result.json +++ b/assets/queries/k8s/object_is_using_a_deprecated_api_version/test/positive_expected_result.json @@ -1,27 +1,67 @@ [ - { - "queryName": "Object Is Using A Deprecated API Version", - "severity": "LOW", - "line": 1 - }, - { - "queryName": "Object Is Using A Deprecated API Version", - "severity": "LOW", - "line": 23 - }, - { - "queryName": "Object Is Using A Deprecated API Version", - "severity": "LOW", - "line": 58 - }, - { - "queryName": "Object Is Using A Deprecated API Version", - "severity": "LOW", - "line": 76 - }, - { - "queryName": "Object Is Using A Deprecated API Version", - "severity": "LOW", - "line": 94 - } + { + "queryName": "Object Is Using A Deprecated API Version", + "severity": "LOW", + "line": 1, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "apiVersion={{apps/v1beta1}}", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{nginx-deployment}}.apiVersion of Deployment should be {{apps/v1}}", + "actualValue": "metadata.name={{nginx-deployment}}.apiVersion of Deployment is deprecated and is {{apps/v1beta1}}", + "issueType": "IncorrectValue" + }, + { + "queryName": "Object Is Using A Deprecated API Version", + "severity": "LOW", + "line": 23, + "filename": "positive.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "apiVersion={{apps/v1beta2}}", + "searchValue": "DaemonSet", + "expectedValue": "metadata.name={{fluentd-elasticsearch}}.apiVersion of DaemonSet should be {{apps/v1}}", + "actualValue": "metadata.name={{fluentd-elasticsearch}}.apiVersion of DaemonSet is deprecated and is {{apps/v1beta2}}", + "issueType": "IncorrectValue" + }, + { + "queryName": "Object Is Using A Deprecated API Version", + "severity": "LOW", + "line": 58, + "filename": "positive.yaml", + "resourceType": "Ingress", + "resourceName": "minimal-ingress", + "searchKey": "apiVersion={{extensions/v1beta1}}", + "searchValue": "Ingress", + "expectedValue": "metadata.name={{minimal-ingress}}.apiVersion of Ingress should be {{networking.k8s.io/v1}}", + "actualValue": "metadata.name={{minimal-ingress}}.apiVersion of Ingress is deprecated and is {{extensions/v1beta1}}", + "issueType": "IncorrectValue" + }, + { + "queryName": "Object Is Using A Deprecated API Version", + "severity": "LOW", + "line": 76, + "filename": "positive.yaml", + "resourceType": "Ingress", + "resourceName": "minimal-ingress1", + "searchKey": "apiVersion={{networking.k8s.io/v1beta1}}", + "searchValue": "Ingress", + "expectedValue": "metadata.name={{minimal-ingress1}}.apiVersion of Ingress should be {{networking.k8s.io/v1}}", + "actualValue": "metadata.name={{minimal-ingress1}}.apiVersion of Ingress is deprecated and is {{networking.k8s.io/v1beta1}}", + "issueType": "IncorrectValue" + }, + { + "queryName": "Object Is Using A Deprecated API Version", + "severity": "LOW", + "line": 94, + "filename": "positive.yaml", + "resourceType": "CronJob", + "resourceName": "hello", + "searchKey": "apiVersion={{batch/v1beta1}}", + "searchValue": "CronJob", + "expectedValue": "metadata.name={{hello}}.apiVersion of CronJob should be {{batch/v1}}", + "actualValue": "metadata.name={{hello}}.apiVersion of CronJob is deprecated and is {{batch/v1beta1}}", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/peer_auto_tls_set_to_true/test/positive_expected_result.json b/assets/queries/k8s/peer_auto_tls_set_to_true/test/positive_expected_result.json index a13287dd345..eca763f4e76 100644 --- a/assets/queries/k8s/peer_auto_tls_set_to_true/test/positive_expected_result.json +++ b/assets/queries/k8s/peer_auto_tls_set_to_true/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Peer Auto TLS Set To True", "severity": "MEDIUM", "line": 21, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "", + "expectedValue": "--peer-auto-tls flag should be set to false or not be defined", + "actualValue": "--peer-auto-tls flag is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/permissive_access_to_create_pods/test/positive_expected_result.json b/assets/queries/k8s/permissive_access_to_create_pods/test/positive_expected_result.json index df38f6a5872..36bcb61bec2 100644 --- a/assets/queries/k8s/permissive_access_to_create_pods/test/positive_expected_result.json +++ b/assets/queries/k8s/permissive_access_to_create_pods/test/positive_expected_result.json @@ -1,43 +1,93 @@ -[{ - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 12, - "fileName": "positive1.yaml" - }, - { - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 21, - "fileName": "positive1.yaml" - }, - { - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 30, - "fileName": "positive1.yaml" - }, - { - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 39, - "fileName": "positive1.yaml" - }, - { - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 48, - "fileName": "positive1.yaml" - }, - { - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 60, - "fileName": "positive1.yaml" - }, - { - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 26, - "fileName": "positive2.yaml" - } +[ + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 12, + "filename": "positive1.yaml", + "resourceType": "ClusterRole", + "resourceName": "secret-reader", + "searchKey": "metadata.name={{secret-reader}}.rules.verbs.create", + "searchValue": "ClusterRole/create", + "expectedValue": "metadata.name=secret-reader.rules.verbs should not contain the value 'create' when metadata.name=secret-reader.rules.resources contains the value 'pods'", + "actualValue": "metadata.name=secret-reader.rules.verbs contains the value 'create' and metadata.name=secret-reader.rules.resources contains the value 'pods'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 21, + "filename": "positive1.yaml", + "resourceType": "Role", + "resourceName": "secret-reader2", + "searchKey": "metadata.name={{secret-reader2}}.rules.verbs.create", + "searchValue": "Role/create", + "expectedValue": "metadata.name=secret-reader2.rules.verbs should not contain the value 'create' when metadata.name=secret-reader2.rules.resources contains a wildcard value", + "actualValue": "metadata.name=secret-reader2.rules.verbs contains the value 'create' and metadata.name=secret-reader2.rules.resources contains a wildcard value", + "issueType": "IncorrectValue" + }, + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 30, + "filename": "positive1.yaml", + "resourceType": "ClusterRole", + "resourceName": "secret-reader3", + "searchKey": "metadata.name={{secret-reader3}}.rules.verbs.*", + "searchValue": "ClusterRole/*", + "expectedValue": "metadata.name=secret-reader3.rules.verbs should not contain a wildcard value when metadata.name=secret-reader3.rules.resources contains the value 'pods'", + "actualValue": "metadata.name=secret-reader3.rules.verbs contains a wildcard value and metadata.name=secret-reader3.rules.resources contains the value 'pods'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 39, + "filename": "positive1.yaml", + "resourceType": "Role", + "resourceName": "secret-reader4", + "searchKey": "metadata.name={{secret-reader4}}.rules.verbs.*", + "searchValue": "Role/*", + "expectedValue": "metadata.name=secret-reader4.rules.verbs should not contain a wildcard value when metadata.name=secret-reader4.rules.resources contains a wildcard value", + "actualValue": "metadata.name=secret-reader4.rules.verbs contains a wildcard value and metadata.name=secret-reader4.rules.resources contains a wildcard value", + "issueType": "IncorrectValue" + }, + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 48, + "filename": "positive1.yaml", + "resourceType": "ClusterRole", + "resourceName": "secret-reader5", + "searchKey": "metadata.name={{secret-reader5}}.rules.verbs.c*e", + "searchValue": "ClusterRole/*", + "expectedValue": "metadata.name=secret-reader5.rules.verbs should not contain a wildcard value when metadata.name=secret-reader5.rules.resources contains the value 'pods'", + "actualValue": "metadata.name=secret-reader5.rules.verbs contains a wildcard value and metadata.name=secret-reader5.rules.resources contains the value 'pods'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 60, + "filename": "positive1.yaml", + "resourceType": "ClusterRole", + "resourceName": "secret-reader6", + "searchKey": "metadata.name={{secret-reader6}}.rules.verbs.create", + "searchValue": "ClusterRole/create", + "expectedValue": "metadata.name=secret-reader6.rules.verbs should not contain the value 'create' when metadata.name=secret-reader6.rules.resources contains a wildcard value", + "actualValue": "metadata.name=secret-reader6.rules.verbs contains the value 'create' and metadata.name=secret-reader6.rules.resources contains a wildcard value", + "issueType": "IncorrectValue" + }, + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 26, + "filename": "positive2.yaml", + "resourceType": "ClusterRole", + "resourceName": "secret-reader", + "searchKey": "metadata.name={{secret-reader}}.rules.verbs.create", + "searchValue": "ClusterRole/create", + "expectedValue": "metadata.name=secret-reader.rules.verbs should not contain the value 'create' when metadata.name=secret-reader.rules.resources contains a wildcard value", + "actualValue": "metadata.name=secret-reader.rules.verbs contains the value 'create' and metadata.name=secret-reader.rules.resources contains a wildcard value", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/pod_misconfigured_network_policy/test/positive_expected_result.json b/assets/queries/k8s/pod_misconfigured_network_policy/test/positive_expected_result.json index 984dc94bf72..17ba30abbd3 100644 --- a/assets/queries/k8s/pod_misconfigured_network_policy/test/positive_expected_result.json +++ b/assets/queries/k8s/pod_misconfigured_network_policy/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Pod Misconfigured Network Policy", "severity": "MEDIUM", "line": 4, - "fileName": "positive2.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "positive1-pod", + "searchKey": "metadata.name=positive1-pod", + "searchValue": "", + "expectedValue": "Pod positive1-pod should have ingress and egress rules in matching NetworkPolicy", + "actualValue": "Pod positive1-pod has no ingress or egress rules in matching NetworkPolicy", + "issueType": "MissingAttribute" }, { "queryName": "Pod Misconfigured Network Policy", "severity": "MEDIUM", "line": 4, - "fileName": "positive1.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "positive2-pod", + "searchKey": "metadata.name=positive2-pod", + "searchValue": "", + "expectedValue": "Pod positive2-pod should have ingress and egress rules in matching NetworkPolicy", + "actualValue": "Pod positive2-pod has no ingress or egress rules in matching NetworkPolicy", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/k8s/pod_or_container_without_limit_range/test/positive_expected_result.json b/assets/queries/k8s/pod_or_container_without_limit_range/test/positive_expected_result.json index f5c689151e5..2180a1f1a45 100644 --- a/assets/queries/k8s/pod_or_container_without_limit_range/test/positive_expected_result.json +++ b/assets/queries/k8s/pod_or_container_without_limit_range/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ - { - "queryName": "Pod or Container Without LimitRange", - "severity": "LOW", - "line": 5, - "fileName": "positive1.yaml" - }, - { - "queryName": "Pod or Container Without LimitRange", - "severity": "LOW", - "line": 4, - "fileName": "positive2.yaml" - }, - { - "queryName": "Pod or Container Without LimitRange", - "severity": "LOW", - "line": 5, - "fileName": "positive3.yaml" - }, - { - "queryName": "Pod or Container Without LimitRange", - "severity": "LOW", - "line": 5, - "fileName": "positive4.yaml" - } + { + "queryName": "Pod or Container Without LimitRange", + "severity": "LOW", + "line": 5, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "frontend1", + "searchKey": "metadata.name={{frontend1}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{frontend1}} has a 'LimitRange' policy associated", + "actualValue": "metadata.name={{frontend1}} does not have a 'LimitRange' policy associated", + "issueType": "MissingAttribute" + }, + { + "queryName": "Pod or Container Without LimitRange", + "severity": "LOW", + "line": 4, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "frontend2", + "searchKey": "metadata.name={{frontend2}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{frontend2}} has a 'LimitRange' policy associated", + "actualValue": "metadata.name={{frontend2}} does not have a 'LimitRange' policy associated", + "issueType": "MissingAttribute" + }, + { + "queryName": "Pod or Container Without LimitRange", + "severity": "LOW", + "line": 5, + "filename": "positive3.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "metadata.name={{fluentd-elasticsearch}}", + "searchValue": "DaemonSet", + "expectedValue": "metadata.name={{fluentd-elasticsearch}} has a 'LimitRange' policy associated", + "actualValue": "metadata.name={{fluentd-elasticsearch}} does not have a 'LimitRange' policy associated", + "issueType": "MissingAttribute" + }, + { + "queryName": "Pod or Container Without LimitRange", + "severity": "LOW", + "line": 5, + "filename": "positive4.yaml", + "resourceType": "PersistentVolumeClaim", + "resourceName": "webcontent", + "searchKey": "metadata.name={{webcontent}}", + "searchValue": "PersistentVolumeClaim", + "expectedValue": "metadata.name={{webcontent}} has a 'LimitRange' policy associated", + "actualValue": "metadata.name={{webcontent}} does not have a 'LimitRange' policy associated", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/pod_or_container_without_resource_quota/test/positive_expected_result.json b/assets/queries/k8s/pod_or_container_without_resource_quota/test/positive_expected_result.json index 37773d522e0..0cb711bad53 100644 --- a/assets/queries/k8s/pod_or_container_without_resource_quota/test/positive_expected_result.json +++ b/assets/queries/k8s/pod_or_container_without_resource_quota/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ - { - "queryName": "Pod or Container Without ResourceQuota", - "severity": "LOW", - "line": 5, - "fileName": "positive1.yaml" - }, - { - "queryName": "Pod or Container Without ResourceQuota", - "severity": "LOW", - "line": 4, - "fileName": "positive2.yaml" - }, - { - "queryName": "Pod or Container Without ResourceQuota", - "severity": "LOW", - "line": 5, - "fileName": "positive3.yaml" - }, - { - "queryName": "Pod or Container Without ResourceQuota", - "severity": "LOW", - "line": 5, - "fileName": "positive4.yaml" - } + { + "queryName": "Pod or Container Without ResourceQuota", + "severity": "LOW", + "line": 5, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod1", + "searchKey": "metadata.name={{pod1}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod1}} has a 'ResourceQuota' policy associated", + "actualValue": "metadata.name={{pod1}} does not have a 'ResourceQuota' policy associated", + "issueType": "MissingAttribute" + }, + { + "queryName": "Pod or Container Without ResourceQuota", + "severity": "LOW", + "line": 4, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "pod2", + "searchKey": "metadata.name={{pod2}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod2}} has a 'ResourceQuota' policy associated", + "actualValue": "metadata.name={{pod2}} does not have a 'ResourceQuota' policy associated", + "issueType": "MissingAttribute" + }, + { + "queryName": "Pod or Container Without ResourceQuota", + "severity": "LOW", + "line": 5, + "filename": "positive3.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "metadata.name={{fluentd-elasticsearch}}", + "searchValue": "DaemonSet", + "expectedValue": "metadata.name={{fluentd-elasticsearch}} has a 'ResourceQuota' policy associated", + "actualValue": "metadata.name={{fluentd-elasticsearch}} does not have a 'ResourceQuota' policy associated", + "issueType": "MissingAttribute" + }, + { + "queryName": "Pod or Container Without ResourceQuota", + "severity": "LOW", + "line": 5, + "filename": "positive4.yaml", + "resourceType": "PersistentVolumeClaim", + "resourceName": "webcontent", + "searchKey": "metadata.name={{webcontent}}", + "searchValue": "PersistentVolumeClaim", + "expectedValue": "metadata.name={{webcontent}} has a 'ResourceQuota' policy associated", + "actualValue": "metadata.name={{webcontent}} does not have a 'ResourceQuota' policy associated", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/pod_or_container_without_security_context/test/positive_expected_result.json b/assets/queries/k8s/pod_or_container_without_security_context/test/positive_expected_result.json index 7767c0122ee..0280b96ca93 100644 --- a/assets/queries/k8s/pod_or_container_without_security_context/test/positive_expected_result.json +++ b/assets/queries/k8s/pod_or_container_without_security_context/test/positive_expected_result.json @@ -1,13 +1,28 @@ [ - { - "queryName": "Pod or Container Without Security Context", - "severity": "LOW", - "line": 5 - }, - - { - "queryName": "Pod or Container Without Security Context", - "severity": "LOW", - "line": 19 - } + { + "queryName": "Pod or Container Without Security Context", + "severity": "LOW", + "line": 5, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.spec", + "searchValue": "", + "expectedValue": "metadata.name={{frontend}}.spec has a security context", + "actualValue": "metadata.name={{frontend}}.spec does not have a security context", + "issueType": "MissingAttribute" + }, + { + "queryName": "Pod or Container Without Security Context", + "severity": "LOW", + "line": 19, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.spec.containers.name=log-aggregator", + "searchValue": "Pod", + "expectedValue": "spec.containers.name=log-aggregator has a security context", + "actualValue": "spec.containers.name=log-aggregator does not have a security context", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/test/positive_expected_result.json index 74190bca4a7..b9e046c8bcb 100644 --- a/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Pod Security Policy Admission Control Plugin Not Set", - "severity": "HIGH", - "line": 11, - "fileName": "positive1.yaml" - } + { + "queryName": "Pod Security Policy Admission Control Plugin Not Set", + "severity": "HIGH", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--enable-admission-plugins flag should contain 'PodSecurityPolicy' plugin", + "actualValue": "--enable-admission-plugins flag does not contain 'PodSecurityPolicy' plugin", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/privilege_escalation_allowed/test/positive_expected_result.json b/assets/queries/k8s/privilege_escalation_allowed/test/positive_expected_result.json index 4f333322132..c78b1f4b416 100644 --- a/assets/queries/k8s/privilege_escalation_allowed/test/positive_expected_result.json +++ b/assets/queries/k8s/privilege_escalation_allowed/test/positive_expected_result.json @@ -1,32 +1,67 @@ [ - { - "queryName": "Privilege Escalation Allowed", - "severity": "HIGH", - "line": 10, - "fileName": "positive1.yaml" - }, - { - "queryName": "Privilege Escalation Allowed", - "severity": "HIGH", - "line": 21, - "fileName": "positive1.yaml" - }, - { - "queryName": "Privilege Escalation Allowed", - "severity": "HIGH", - "line": 9, - "fileName": "positive2.yaml" - }, - { - "queryName": "Privilege Escalation Allowed", - "severity": "HIGH", - "line": 13, - "fileName": "positive2.yaml" - }, - { - "queryName": "Privilege Escalation Allowed", - "severity": "HIGH", - "line": 17, - "fileName": "positive2.yaml" - } + { + "queryName": "Privilege Escalation Allowed", + "severity": "HIGH", + "line": 10, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod2", + "searchKey": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.allowPrivilegeEscalation", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.allowPrivilegeEscalation should be set to false", + "actualValue": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.allowPrivilegeEscalation is true", + "issueType": "IncorrectValue" + }, + { + "queryName": "Privilege Escalation Allowed", + "severity": "HIGH", + "line": 21, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod2", + "searchKey": "metadata.name={{pod2}}.spec.containers.name={{log-aggregator}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod2}}.spec.containers.name={{log-aggregator}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", + "actualValue": "metadata.name={{pod2}}.spec.containers.name={{log-aggregator}}.securityContext.allowPrivilegeEscalation is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Privilege Escalation Allowed", + "severity": "HIGH", + "line": 9, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "example-priv", + "searchKey": "metadata.name={{example-priv}}.spec.containers.name={{payment}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{example-priv}}.spec.containers.name={{payment}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", + "actualValue": "metadata.name={{example-priv}}.spec.containers.name={{payment}}.securityContext.allowPrivilegeEscalation is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Privilege Escalation Allowed", + "severity": "HIGH", + "line": 13, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "example-priv", + "searchKey": "metadata.name={{example-priv}}.spec.containers.name={{payment2}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{example-priv}}.spec.containers.name={{payment2}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", + "actualValue": "metadata.name={{example-priv}}.spec.containers.name={{payment2}}.securityContext.allowPrivilegeEscalation is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Privilege Escalation Allowed", + "severity": "HIGH", + "line": 17, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "example-priv", + "searchKey": "metadata.name={{example-priv}}.spec.containers.name={{payment4}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{example-priv}}.spec.containers.name={{payment4}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", + "actualValue": "metadata.name={{example-priv}}.spec.containers.name={{payment4}}.securityContext.allowPrivilegeEscalation is undefined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/profiling_not_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/profiling_not_set_to_false/test/positive_expected_result.json index 899cc5ca74d..13f175a635f 100644 --- a/assets/queries/k8s/profiling_not_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/profiling_not_set_to_false/test/positive_expected_result.json @@ -1,44 +1,93 @@ [ - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 21, - "fileName": "positive3.yaml" - }, - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 21, - "fileName": "positive4.yaml" - }, - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 2, - "fileName": "positive5.yaml" - }, - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 3, - "fileName": "positive6.yaml" - }, - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 14, - "fileName": "positive7.yaml" - } + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--profiling flag should be set to false", + "actualValue": "--profiling flag is set to true", + "issueType": "IncorrectValue" + }, + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo-1", + "searchKey": "metadata.name={{command-demo-1}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--profiling flag should be defined and set to false", + "actualValue": "--profiling flag is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 21, + "filename": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "kube-controller-manager-master-3", + "searchKey": "metadata.name={{kube-controller-manager-master-3}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--profiling flag should be set to false", + "actualValue": "--profiling flag is set to true", + "issueType": "IncorrectValue" + }, + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 21, + "filename": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "kube-controller-manager-master-4", + "searchKey": "metadata.name={{kube-controller-manager-master-4}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--profiling flag should be defined and set to false", + "actualValue": "--profiling flag is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 2, + "filename": "positive5.yaml", + "resourceType": "KubeSchedulerConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeSchedulerConfiguration}}", + "searchValue": "", + "expectedValue": "enableProfiling argument flag should be defined and set to false", + "actualValue": "enableProfiling argument is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 3, + "filename": "positive6.yaml", + "resourceType": "KubeSchedulerConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeSchedulerConfiguration}}.enableProfiling", + "searchValue": "", + "expectedValue": "enableProfiling argument flag should be set to false", + "actualValue": "enableProfiling argument is set to true", + "issueType": "IncorrectValue" + }, + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 14, + "filename": "positive7.yaml", + "resourceType": "Pod", + "resourceName": "kube-scheduler-master-2", + "searchKey": "metadata.name={{kube-scheduler-master-2}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--profiling flag should be set to false", + "actualValue": "--profiling flag is set to true", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/psp_allows_privilege_escalation/test/positive_expected_result.json b/assets/queries/k8s/psp_allows_privilege_escalation/test/positive_expected_result.json index 86ec9f078d3..820e96f08a8 100644 --- a/assets/queries/k8s/psp_allows_privilege_escalation/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_allows_privilege_escalation/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "PSP Allows Privilege Escalation", "severity": "HIGH", - "line": 9 + "line": 9, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "privileged", + "searchKey": "metadata.name={{privileged}}.spec.allowPrivilegeEscalation", + "searchValue": "", + "expectedValue": "Attribute 'allowPrivilegeEscalation' should be set to false", + "actualValue": "Attribute 'allowPrivilegeEscalation' is true", + "issueType": "IncorrectValue" }, { "queryName": "PSP Allows Privilege Escalation", "severity": "HIGH", - "line": 32 + "line": 32, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "privileged2", + "searchKey": "metadata.name={{privileged2}}.spec", + "searchValue": "", + "expectedValue": "Attribute 'allowPrivilegeEscalation' should be set", + "actualValue": "Attribute 'allowPrivilegeEscalation' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/psp_allows_sharing_host_ipc/test/positive_expected_result.json b/assets/queries/k8s/psp_allows_sharing_host_ipc/test/positive_expected_result.json index e5f72bb23f2..56cad85120f 100644 --- a/assets/queries/k8s/psp_allows_sharing_host_ipc/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_allows_sharing_host_ipc/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "PSP Allows Sharing Host IPC", "severity": "HIGH", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.hostIPC", + "searchValue": "", + "expectedValue": "'spec.hostIPC' should be set to false or undefined", + "actualValue": "'spec.hostIPC' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/psp_allows_sharing_host_pid/test/positive_expected_result.json b/assets/queries/k8s/psp_allows_sharing_host_pid/test/positive_expected_result.json index 288f1c94199..6b41fd2461a 100644 --- a/assets/queries/k8s/psp_allows_sharing_host_pid/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_allows_sharing_host_pid/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "PSP Allows Sharing Host PID", - "severity": "MEDIUM", - "line": 6 - } + { + "queryName": "PSP Allows Sharing Host PID", + "severity": "MEDIUM", + "line": 6, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.hostPID", + "searchValue": "", + "expectedValue": "'spec.hostPID' should be set to false or undefined", + "actualValue": "'spec.hostPID' is true", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/psp_containers_share_host_network_namespace/test/positive_expected_result.json b/assets/queries/k8s/psp_containers_share_host_network_namespace/test/positive_expected_result.json index a99cbc0ca3d..4d2caf0419a 100644 --- a/assets/queries/k8s/psp_containers_share_host_network_namespace/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_containers_share_host_network_namespace/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "PSP Allows Containers To Share The Host Network Namespace", - "severity": "HIGH", - "line": 14 - } + { + "queryName": "PSP Allows Containers To Share The Host Network Namespace", + "severity": "HIGH", + "line": 14, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "privileged", + "searchKey": "metadata.name={{privileged}}.spec.hostNetwork", + "searchValue": "", + "expectedValue": "'spec.hostNetwork' should be set to false or undefined", + "actualValue": "'spec.hostNetwork' is true", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/psp_set_to_privileged/test/positive_expected_result.json b/assets/queries/k8s/psp_set_to_privileged/test/positive_expected_result.json index 18055bdda6c..82abb4fa6c7 100644 --- a/assets/queries/k8s/psp_set_to_privileged/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_set_to_privileged/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "PSP Set To Privileged", "severity": "HIGH", - "line": 6 + "line": 6, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.privileged", + "searchValue": "", + "expectedValue": "metadata.name={{example}}.spec.privileged should be set to false", + "actualValue": "metadata.name={{example}}.spec.privileged is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/psp_with_added_capabilities/test/positive_expected_result.json b/assets/queries/k8s/psp_with_added_capabilities/test/positive_expected_result.json index c9d9361f647..e021bcfbc50 100644 --- a/assets/queries/k8s/psp_with_added_capabilities/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_with_added_capabilities/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "PSP With Added Capabilities", "severity": "HIGH", - "line": 10 + "line": 10, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "privileged", + "searchKey": "metadata.name={{privileged}}.spec.allowedCapabilities", + "searchValue": "", + "expectedValue": "PodSecurityPolicy should not have allowed capabilities", + "actualValue": "PodSecurityPolicy has allowed capabilities", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/test/positive_expected_result.json b/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/test/positive_expected_result.json index eb361d4aa64..df41d0189c8 100644 --- a/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/test/positive_expected_result.json @@ -1,20 +1,41 @@ [ - { - "queryName": "PSP With Unrestricted Access to Host Path", - "severity": "HIGH", - "line": 5, - "fileName": "positive1.yaml" - }, - { - "queryName": "PSP With Unrestricted Access to Host Path", - "severity": "HIGH", - "line": 8, - "fileName": "positive2.yaml" - }, - { - "queryName": "PSP With Unrestricted Access to Host Path", - "severity": "HIGH", - "line": 9, - "fileName": "positive3.yaml" - } + { + "queryName": "PSP With Unrestricted Access to Host Path", + "severity": "HIGH", + "line": 5, + "filename": "positive1.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec", + "searchValue": "", + "expectedValue": "'spec.allowedHostPaths' should be defined and not null", + "actualValue": "'spec.allowedHostPaths' is undefined or null", + "issueType": "MissingAttribute" + }, + { + "queryName": "PSP With Unrestricted Access to Host Path", + "severity": "HIGH", + "line": 8, + "filename": "positive2.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.allowedHostPaths", + "searchValue": "", + "expectedValue": "'spec.allowedHostPaths[0].readOnly' should be set to true", + "actualValue": "'spec.allowedHostPaths[0].readOnly' is undefined or null", + "issueType": "MissingAttribute" + }, + { + "queryName": "PSP With Unrestricted Access to Host Path", + "severity": "HIGH", + "line": 9, + "filename": "positive3.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.allowedHostPaths.readOnly", + "searchValue": "", + "expectedValue": "'spec.allowedHostPaths[0].readOnly' should be set to true", + "actualValue": "'spec.allowedHostPaths[0].readOnly' is set to false", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/positive_expected_result.json index 2d795e4b970..e47dd5d3576 100644 --- a/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "RBAC Roles Allow Privilege Escalation", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "ClusterRole", + "resourceName": "rbac-binder", + "searchKey": "metadata.name={{rbac-binder}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{rbac-binder}}.rules[0].verbs should not include the 'bind' and/or 'escalate' permission", + "actualValue": "metadata.name={{rbac-binder}}.rules[0].verbs includes the 'bind' and/or 'escalate' permission", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/rbac_roles_with_attach_permission/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_with_attach_permission/test/positive_expected_result.json index 3e44d4cb64b..c3387546b1c 100644 --- a/assets/queries/k8s/rbac_roles_with_attach_permission/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_with_attach_permission/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "RBAC Roles with Attach Permission", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "Role", + "resourceName": "allow-attach", + "searchKey": "metadata.name={{allow-attach}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{allow-attach}}.rules[0].resources should not include the 'pods/attach' resource", + "actualValue": "metadata.name={{allow-attach}}.rules[0].resources includes the 'pods/attach' resource", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/rbac_roles_with_exec_permission/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_with_exec_permission/test/positive_expected_result.json index 22147fdfcd5..a1bee40cba2 100644 --- a/assets/queries/k8s/rbac_roles_with_exec_permission/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_with_exec_permission/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "RBAC Roles with Exec Permission", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "Role", + "resourceName": "allow-exec", + "searchKey": "metadata.name={{allow-exec}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{allow-exec}}.rules[0].resources should not include the 'pods/exec' resource", + "actualValue": "metadata.name={{allow-exec}}.rules[0].resources includes the 'pods/exec' resource", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/rbac_roles_with_impersonate_permission/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_with_impersonate_permission/test/positive_expected_result.json index 6e71882dfd1..9219c1b9721 100644 --- a/assets/queries/k8s/rbac_roles_with_impersonate_permission/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_with_impersonate_permission/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "RBAC Roles with Impersonate Permission", "severity": "MEDIUM", - "line": 9 + "line": 9, + "filename": "positive.yaml", + "resourceType": "ClusterRole", + "resourceName": "impersonator-role", + "searchKey": "metadata.name={{impersonator-role}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{impersonator-role}}.rules[0].verbs should not include the 'impersonate' verb", + "actualValue": "metadata.name={{impersonator-role}}.rules[0].verbs includes the 'impersonate' verb", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/test/positive_expected_result.json index d5deff99de9..b311affb6a6 100644 --- a/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "RBAC Roles with Port-Forwarding Permission", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.yaml", + "resourceType": "Role", + "resourceName": "allow-port-forward", + "searchKey": "metadata.name={{allow-port-forward}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{allow-port-forward}}.rules[0].resources should not include the 'pods/portforward' resource", + "actualValue": "metadata.name={{allow-port-forward}}.rules[0].resources includes the 'pods/portforward' resource", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json index 12920608c50..06f516847d1 100644 --- a/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ - { - "queryName": "RBAC Roles with Read Secrets Permissions", - "severity": "MEDIUM", - "line": 9 - }, - { - "queryName": "RBAC Roles with Read Secrets Permissions", - "severity": "MEDIUM", - "line": 18 - } + { + "queryName": "RBAC Roles with Read Secrets Permissions", + "severity": "MEDIUM", + "line": 9, + "filename": "positive.yaml", + "resourceType": "Role", + "resourceName": "role-secret-reader", + "searchKey": "metadata.name={{role-secret-reader}}.rules", + "searchValue": "Role0", + "expectedValue": "metadata.name={{role-secret-reader}}.rules[0] should not be granted read access to Secrets objects", + "actualValue": "metadata.name={{role-secret-reader}}.rules[0] is granted read access (verbs: get, watch, list) to Secrets objects", + "issueType": "IncorrectValue" + }, + { + "queryName": "RBAC Roles with Read Secrets Permissions", + "severity": "MEDIUM", + "line": 18, + "filename": "positive.yaml", + "resourceType": "ClusterRole", + "resourceName": "cluster-role-secret-reader", + "searchKey": "metadata.name={{cluster-role-secret-reader}}.rules", + "searchValue": "ClusterRole0", + "expectedValue": "metadata.name={{cluster-role-secret-reader}}.rules[0] should not be granted read access to Secrets objects", + "actualValue": "metadata.name={{cluster-role-secret-reader}}.rules[0] is granted read access (verbs: get, watch, list) to Secrets objects", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/rbac_wildcard_in_rule/test/positive_expected_result.json b/assets/queries/k8s/rbac_wildcard_in_rule/test/positive_expected_result.json index a03c04a68d9..08a232840ac 100644 --- a/assets/queries/k8s/rbac_wildcard_in_rule/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_wildcard_in_rule/test/positive_expected_result.json @@ -2,36 +2,92 @@ { "queryName": "RBAC Wildcard In Rule", "severity": "HIGH", - "line": 7 + "line": 7, + "filename": "positive.yaml", + "resourceType": "ClusterRole", + "resourceName": "configmap-modifier", + "searchKey": "metadata.name={{configmap-modifier}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier}}.rules[0].apiGroups should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier}}.rules[0].apiGroups uses wildcards to specify objects or actions", + "issueType": "IncorrectValue" }, { "queryName": "RBAC Wildcard In Rule", "severity": "HIGH", - "line": 9 + "line": 9, + "filename": "positive.yaml", + "resourceType": "ClusterRole", + "resourceName": "configmap-modifier", + "searchKey": "metadata.name={{configmap-modifier}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier}}.rules[0].verbs should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier}}.rules[0].verbs uses wildcards to specify objects or actions", + "issueType": "IncorrectValue" }, { "queryName": "RBAC Wildcard In Rule", "severity": "HIGH", - "line": 18 + "line": 18, + "filename": "positive.yaml", + "resourceType": "Role", + "resourceName": "configmap-modifier1", + "searchKey": "metadata.name={{configmap-modifier1}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier1}}.rules[0].apiGroups should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier1}}.rules[0].apiGroups uses wildcards to specify objects or actions", + "issueType": "IncorrectValue" }, { "queryName": "RBAC Wildcard In Rule", "severity": "HIGH", - "line": 19 + "line": 19, + "filename": "positive.yaml", + "resourceType": "Role", + "resourceName": "configmap-modifier1", + "searchKey": "metadata.name={{configmap-modifier1}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier1}}.rules[0].resources should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier1}}.rules[0].resources uses wildcards to specify objects or actions", + "issueType": "IncorrectValue" }, { "queryName": "RBAC Wildcard In Rule", "severity": "HIGH", - "line": 20 + "line": 20, + "filename": "positive.yaml", + "resourceType": "Role", + "resourceName": "configmap-modifier1", + "searchKey": "metadata.name={{configmap-modifier1}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier1}}.rules[0].verbs should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier1}}.rules[0].verbs uses wildcards to specify objects or actions", + "issueType": "IncorrectValue" }, { "queryName": "RBAC Wildcard In Rule", "severity": "HIGH", - "line": 29 + "line": 29, + "filename": "positive.yaml", + "resourceType": "Role", + "resourceName": "configmap-modifier2", + "searchKey": "metadata.name={{configmap-modifier2}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier2}}.rules[0].apiGroups should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier2}}.rules[0].apiGroups uses wildcards to specify objects or actions", + "issueType": "IncorrectValue" }, { "queryName": "RBAC Wildcard In Rule", "severity": "HIGH", - "line": 31 + "line": 31, + "filename": "positive.yaml", + "resourceType": "Role", + "resourceName": "configmap-modifier2", + "searchKey": "metadata.name={{configmap-modifier2}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier2}}.rules[0].resources should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier2}}.rules[0].resources uses wildcards to specify objects or actions", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/readiness_probe_is_not_configured/test/positive_expected_result.json b/assets/queries/k8s/readiness_probe_is_not_configured/test/positive_expected_result.json index b11c39bb6f5..decf98cb907 100644 --- a/assets/queries/k8s/readiness_probe_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/k8s/readiness_probe_is_not_configured/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "Readiness Probe Is Not Configured", - "severity": "MEDIUM", - "line": 9 - } + { + "queryName": "Readiness Probe Is Not Configured", + "severity": "MEDIUM", + "line": 9, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "goproxy", + "searchKey": "metadata.name={{goproxy}}.spec.containers.name={{goproxy}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{goproxy}}.spec.containers.name={{goproxy}}.readinessProbe should be defined", + "actualValue": "metadata.name={{goproxy}}.spec.containers.name={{goproxy}}.readinessProbe is undefined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/request_timeout_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/request_timeout_not_properly_set/test/positive_expected_result.json index 54584b5ee4b..9b94eb16a19 100644 --- a/assets/queries/k8s/request_timeout_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/request_timeout_not_properly_set/test/positive_expected_result.json @@ -1,38 +1,80 @@ [ - { - "queryName": "Request Timeout Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Request Timeout Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Request Timeout Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive3.yaml" - }, - { - "queryName": "Request Timeout Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive4.yaml" - }, - { - "queryName": "Request Timeout Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive5.yaml" - }, - { - "queryName": "Request Timeout Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive6.yaml" - } + { + "queryName": "Request Timeout Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", + "actualValue": "--request-timeout flag is set to more than 300 seconds", + "issueType": "IncorrectValue" + }, + { + "queryName": "Request Timeout Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", + "actualValue": "--request-timeout flag is set to more than 300 seconds", + "issueType": "IncorrectValue" + }, + { + "queryName": "Request Timeout Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "filename": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", + "actualValue": "--request-timeout flag is set to more than 300 seconds", + "issueType": "IncorrectValue" + }, + { + "queryName": "Request Timeout Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "filename": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", + "actualValue": "--request-timeout flag is set to more than 300 seconds", + "issueType": "IncorrectValue" + }, + { + "queryName": "Request Timeout Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "filename": "positive5.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", + "actualValue": "--request-timeout flag is set to more than 300 seconds", + "issueType": "IncorrectValue" + }, + { + "queryName": "Request Timeout Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "filename": "positive6.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", + "actualValue": "--request-timeout flag is set to more than 300 seconds", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/role_binding_to_default_service_account/test/positive_expected_result.json b/assets/queries/k8s/role_binding_to_default_service_account/test/positive_expected_result.json index d9effcde718..c6243a10b6c 100644 --- a/assets/queries/k8s/role_binding_to_default_service_account/test/positive_expected_result.json +++ b/assets/queries/k8s/role_binding_to_default_service_account/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Role Binding To Default Service Account", "severity": "MEDIUM", - "line": 11 + "line": 11, + "filename": "positive.yaml", + "resourceType": "RoleBinding", + "resourceName": "read-pods", + "searchKey": "subjects.name=default", + "searchValue": "", + "expectedValue": "subjects.kind=ServiceAccount.name should not be default", + "actualValue": "subjects.kind=ServiceAccount.name is default", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/root_ca_file_not_defined/test/positive_expected_result.json b/assets/queries/k8s/root_ca_file_not_defined/test/positive_expected_result.json index bea7e048f65..5a27956d7fb 100644 --- a/assets/queries/k8s/root_ca_file_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/root_ca_file_not_defined/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Root CA File Not Defined", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - } + { + "queryName": "Root CA File Not Defined", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--root-ca-file flag should be defined", + "actualValue": "--root-ca-file flag is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/root_container_not_mounted_as_read_only/test/positive_expected_result.json b/assets/queries/k8s/root_container_not_mounted_as_read_only/test/positive_expected_result.json index 8de5a2bce6b..7d97639ea43 100644 --- a/assets/queries/k8s/root_container_not_mounted_as_read_only/test/positive_expected_result.json +++ b/assets/queries/k8s/root_container_not_mounted_as_read_only/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ - { - "queryName": "Root Container Not Mounted Read-only", - "severity": "LOW", - "line": 12 - }, - { - "queryName": "Root Container Not Mounted Read-only", - "severity": "LOW", - "line": 24 - } + { + "queryName": "Root Container Not Mounted Read-only", + "severity": "LOW", + "line": 12, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "rootfalse", + "searchKey": "metadata.name={{rootfalse}}.spec.containers.name={{contain1_1}}.securityContext.readOnlyRootFilesystem", + "searchValue": "Pod", + "expectedValue": "metadata.name={{rootfalse}}.spec.containers.name={{contain1_1}}.securityContext.readOnlyRootFilesystem is true", + "actualValue": "metadata.name={{rootfalse}}.spec.containers.name={{contain1_1}}.securityContext.readOnlyRootFilesystem is false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Root Container Not Mounted Read-only", + "severity": "LOW", + "line": 24, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "noroot", + "searchKey": "metadata.name={{noroot}}.spec.containers.name={{contain1_2}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{noroot}}.spec.containers.name={{contain1_2}}.securityContext.readOnlyRootFilesystem should be set to true", + "actualValue": "metadata.name={{noroot}}.spec.containers.name={{contain1_2}}.securityContext.readOnlyRootFilesystem is undefined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/root_containers_admitted/test/positive_expected_result.json b/assets/queries/k8s/root_containers_admitted/test/positive_expected_result.json index 208bc44813c..cffaead53ad 100644 --- a/assets/queries/k8s/root_containers_admitted/test/positive_expected_result.json +++ b/assets/queries/k8s/root_containers_admitted/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec.privileged", + "searchValue": "", + "expectedValue": "metadata.name={{restricted}}.spec.privileged should be set to 'false'", + "actualValue": "metadata.name={{restricted}}.spec.privileged is set to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec.allowPrivilegeEscalation", + "searchValue": "", + "expectedValue": "metadata.name={{restricted}}.spec.allowPrivilegeEscalation should be set to 'false'", + "actualValue": "metadata.name={{restricted}}.spec.allowPrivilegeEscalation is set to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 27 + "line": 27, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec.runAsUser.rule", + "searchValue": "", + "expectedValue": "metadata.name={{restricted}}.spec.runAsUser.rule is equal to 'MustRunAsNonRoot'", + "actualValue": "metadata.name={{restricted}}.spec.runAsUser.rule is not equal to 'MustRunAsNonRoot'", + "issueType": "IncorrectValue" }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec.supplementalGroups.rule", + "searchValue": "", + "expectedValue": "metadata.name={{restricted}}.spec.supplementalGroups limits its ranges", + "actualValue": "metadata.name={{restricted}}.spec.supplementalGroups does not limit its ranges", + "issueType": "IncorrectValue" }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 32 + "line": 32, + "filename": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec.fsGroup", + "searchValue": "", + "expectedValue": "metadata.name{{restricted}}.spec.fsGroup should not allow range '0' (root)", + "actualValue": "metadata.name={{restricted}}.spec.fsGroup allows range '0' (root)", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive_expected_result.json b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive_expected_result.json index a1169399df7..10148fd6824 100644 --- a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive_expected_result.json +++ b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive_expected_result.json @@ -1,25 +1,54 @@ [ - { - "queryName": "Rotate Kubelet Server Certificate Not Active", - "severity": "MEDIUM", - "line": 8, - "filename": "positive1.yaml" - }, - { - "queryName": "Rotate Kubelet Server Certificate Not Active", - "severity": "MEDIUM", - "line": 11, - "filename": "positive2.yaml" - }, - { - "queryName": "Rotate Kubelet Server Certificate Not Active", - "severity": "MEDIUM", - "line": 8, - "filename": "positive3.json" - },{ - "queryName": "Rotate Kubelet Server Certificate Not Active", - "severity": "MEDIUM", - "line": 11, - "filename": "positive4.yaml" - } + { + "queryName": "Rotate Kubelet Server Certificate Not Active", + "severity": "MEDIUM", + "line": 8, + "filename": "positive1.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.featureGates", + "searchValue": "", + "expectedValue": "RotateKubeletServerCertificates should be true", + "actualValue": "RotateKubeletServerCertificate is false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Rotate Kubelet Server Certificate Not Active", + "severity": "MEDIUM", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--feature-gates=RotateKubeletServerCertificate flag should be true", + "actualValue": "--feature-gates=RotateKubeletServerCertificate flag is false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Rotate Kubelet Server Certificate Not Active", + "severity": "MEDIUM", + "line": 8, + "filename": "positive3.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.featureGates", + "searchValue": "", + "expectedValue": "RotateKubeletServerCertificates should be true", + "actualValue": "RotateKubeletServerCertificate is false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Rotate Kubelet Server Certificate Not Active", + "severity": "MEDIUM", + "line": 11, + "filename": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container7}}.command", + "searchValue": "", + "expectedValue": "--feature-gates=RotateKubeletServerCertificate flag should be true", + "actualValue": "--feature-gates=RotateKubeletServerCertificate flag is false", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/seccomp_profile_is_not_configured/test/positive_expected_result.json b/assets/queries/k8s/seccomp_profile_is_not_configured/test/positive_expected_result.json index b5d3b90f179..43799dd744b 100644 --- a/assets/queries/k8s/seccomp_profile_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/k8s/seccomp_profile_is_not_configured/test/positive_expected_result.json @@ -1,50 +1,106 @@ [ - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 7, - "fileName": "positive1.yaml" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 18, - "fileName": "positive1.yaml" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 26, - "fileName": "positive1.yaml" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 43, - "fileName": "positive1.yaml" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 24, - "fileName": "positive2.yaml" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 24, - "fileName": "positive3.yaml" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 33, - "fileName": "positive3.yaml" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 35, - "fileName": "positive4.yaml" - } + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 7, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-test-1", + "searchKey": "metadata.name={{pod-test-1}}.spec.containers.name={{foobar}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod-test-1}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type should be defined", + "actualValue": "metadata.name={{pod-test-1}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 18, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-test-2", + "searchKey": "metadata.name={{pod-test-2}}.spec.containers.name={{foobar}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod-test-2}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type should be defined", + "actualValue": "metadata.name={{pod-test-2}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 26, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-test-3", + "searchKey": "metadata.name={{pod-test-3}}.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod-test-3}}.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", + "actualValue": "metadata.name={{pod-test-3}}.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 43, + "filename": "positive1.yaml", + "resourceType": "CronJob", + "resourceName": "hello", + "searchKey": "metadata.name={{hello}}.spec.jobTemplate.spec.template.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName", + "searchValue": "CronJob", + "expectedValue": "metadata.name={{hello}}.spec.jobTemplate.spec.template.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", + "actualValue": "metadata.name={{hello}}.spec.jobTemplate.spec.template.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 24, + "filename": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.seccompProfile.type should be defined", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.seccompProfile.type is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 24, + "filename": "positive3.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.seccompProfile.type should be defined", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.seccompProfile.type is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 33, + "filename": "positive3.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type=Unconfined", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type should be set to 'RuntimeDefault' or 'Localhost'", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type is set to 'Unconfined'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 35, + "filename": "positive4.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type=Unconfined", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type should be set to 'RuntimeDefault' or 'Localhost'", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type is set to 'Unconfined'", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/secrets_as_environment_variables/test/positive_expected_result.json b/assets/queries/k8s/secrets_as_environment_variables/test/positive_expected_result.json index 4f2095e9428..3ee80c8689f 100644 --- a/assets/queries/k8s/secrets_as_environment_variables/test/positive_expected_result.json +++ b/assets/queries/k8s/secrets_as_environment_variables/test/positive_expected_result.json @@ -1,17 +1,41 @@ [ - { - "queryName": "Secrets As Environment Variables", - "severity": "LOW", - "line": 12 - }, - { - "queryName": "Secrets As Environment Variables", - "severity": "LOW", - "line": 17 - }, - { - "queryName": "Secrets As Environment Variables", - "severity": "LOW", - "line": 31 - } + { + "queryName": "Secrets As Environment Variables", + "severity": "LOW", + "line": 12, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "secret-env-pod", + "searchKey": "metadata.name={{secret-env-pod}}.spec.containers.env.name={{SECRET_USERNAME}}.valueFrom.secretKeyRef", + "searchValue": "Pod", + "expectedValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_USERNAME}}.valueFrom.secretKeyRef' should be undefined", + "actualValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_USERNAME}}.valueFrom.secretKeyRef' is defined", + "issueType": "IncorrectValue" + }, + { + "queryName": "Secrets As Environment Variables", + "severity": "LOW", + "line": 17, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "secret-env-pod", + "searchKey": "metadata.name={{secret-env-pod}}.spec.containers.env.name={{SECRET_PASSWORD}}.valueFrom.secretKeyRef", + "searchValue": "Pod", + "expectedValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_PASSWORD}}.valueFrom.secretKeyRef' should be undefined", + "actualValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_PASSWORD}}.valueFrom.secretKeyRef' is defined", + "issueType": "IncorrectValue" + }, + { + "queryName": "Secrets As Environment Variables", + "severity": "LOW", + "line": 31, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "envfrom-secret", + "searchKey": "metadata.name={{envfrom-secret}}.spec.containers.name={{envars-test-container}}.envFrom", + "searchValue": "Pod", + "expectedValue": "'spec.containers.name={{envars-test-container}}.envFrom.secretRef' should be undefined", + "actualValue": "'spec.containers.name={{envars-test-container}}.envFrom.secretRef' is defined", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/secure_port_set_to_zero/test/positive_expected_result.json b/assets/queries/k8s/secure_port_set_to_zero/test/positive_expected_result.json index 32788b10f00..443a1f27101 100644 --- a/assets/queries/k8s/secure_port_set_to_zero/test/positive_expected_result.json +++ b/assets/queries/k8s/secure_port_set_to_zero/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Secure Port Set To Zero", - "severity": "HIGH", - "line": 11, - "fileName": "positive1.yaml" - } + { + "queryName": "Secure Port Set To Zero", + "severity": "HIGH", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--secure-port flag should not be set to 0", + "actualValue": "--secure-port flag is set to 0", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/test/positive_expected_result.json index 8e2925f5acc..c5a50461825 100644 --- a/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Security Context Deny Admission Control Plugin Not Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - } + { + "queryName": "Security Context Deny Admission Control Plugin Not Set", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--enable-admission-plugins flag should contain 'SecurityContextDeny' plugin if 'PodSecurityPolicy' plugin should not be set", + "actualValue": "--enable-admission-plugins flag does not contain 'SecurityContextDeny' plugin", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/service_account_admission_control_plugin_disabled/test/positive_expected_result.json b/assets/queries/k8s/service_account_admission_control_plugin_disabled/test/positive_expected_result.json index 91bac546e59..88318277318 100644 --- a/assets/queries/k8s/service_account_admission_control_plugin_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_admission_control_plugin_disabled/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Service Account Admission Control Plugin Disabled", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Service Account Admission Control Plugin Disabled", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.yaml" - } + { + "queryName": "Service Account Admission Control Plugin Disabled", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--disable-admission-plugins flag should not contain 'ServiceAccount' plugin", + "actualValue": "--disable-admission-plugins flag contains 'ServiceAccount' plugin", + "issueType": "IncorrectValue" + }, + { + "queryName": "Service Account Admission Control Plugin Disabled", + "severity": "MEDIUM", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--disable-admission-plugins flag should not contain 'ServiceAccount' plugin", + "actualValue": "--disable-admission-plugins flag contains 'ServiceAccount' plugin", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/service_account_allows_access_secrets/test/positive_expected_result.json b/assets/queries/k8s/service_account_allows_access_secrets/test/positive_expected_result.json index 67513d0289c..1f4d5156d2d 100644 --- a/assets/queries/k8s/service_account_allows_access_secrets/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_allows_access_secrets/test/positive_expected_result.json @@ -1,17 +1,41 @@ [ - { - "queryName": "ServiceAccount Allows Access Secrets", - "severity": "MEDIUM", - "line": 10 - }, - { - "queryName": "ServiceAccount Allows Access Secrets", - "severity": "MEDIUM", - "line": 34 - }, - { - "queryName": "ServiceAccount Allows Access Secrets", - "severity": "MEDIUM", - "line": 58 - } + { + "queryName": "ServiceAccount Allows Access Secrets", + "severity": "MEDIUM", + "line": 10, + "filename": "positive.yaml", + "resourceType": "Role", + "resourceName": "testRoleVulnerable", + "searchKey": "metadata.name={{testRoleVulnerable}}.rules", + "searchValue": "Role", + "expectedValue": "The metadata.name={{testRoleVulnerable}}.rules.verbs should not contain the following verbs: [[\"get\", \"watch\", \"list\"]]", + "actualValue": "The metadata.name={{testRoleVulnerable}}.rules.verbs contain the following verbs: [[\"get\", \"watch\", \"list\"]]", + "issueType": "IncorrectValue" + }, + { + "queryName": "ServiceAccount Allows Access Secrets", + "severity": "MEDIUM", + "line": 34, + "filename": "positive.yaml", + "resourceType": "Role", + "resourceName": "testRoleVulnerable2", + "searchKey": "metadata.name={{testRoleVulnerable2}}.rules", + "searchValue": "Role", + "expectedValue": "The metadata.name={{testRoleVulnerable2}}.rules.verbs should not contain the following verbs: [[\"*\"]]", + "actualValue": "The metadata.name={{testRoleVulnerable2}}.rules.verbs contain the following verbs: [[\"*\"]]", + "issueType": "IncorrectValue" + }, + { + "queryName": "ServiceAccount Allows Access Secrets", + "severity": "MEDIUM", + "line": 58, + "filename": "positive.yaml", + "resourceType": "ClusterRole", + "resourceName": "testClusterRoleVulnerable", + "searchKey": "metadata.name={{testClusterRoleVulnerable}}.rules", + "searchValue": "ClusterRole", + "expectedValue": "The metadata.name={{testClusterRoleVulnerable}}.rules.verbs should not contain the following verbs: [[\"update\", \"list\"]]", + "actualValue": "The metadata.name={{testClusterRoleVulnerable}}.rules.verbs contain the following verbs: [[\"update\", \"list\"]]", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/service_account_key_file_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/service_account_key_file_not_properly_set/test/positive_expected_result.json index f7d31744351..8bb6ac5d250 100644 --- a/assets/queries/k8s/service_account_key_file_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_key_file_not_properly_set/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Service Account Key File Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - } + { + "queryName": "Service Account Key File Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--service-account-key-file flag should be defined and have a PEM encoded file", + "actualValue": "--service-account-key-file flag is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/service_account_lookup_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/service_account_lookup_set_to_false/test/positive_expected_result.json index 88c2e8ff6dd..2f55e5781f7 100644 --- a/assets/queries/k8s/service_account_lookup_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_lookup_set_to_false/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Service Account Lookup Set To False", - "severity": "HIGH", - "line": 11, - "fileName": "positive1.yaml" - } + { + "queryName": "Service Account Lookup Set To False", + "severity": "HIGH", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--service-account-lookup flag should be set to true", + "actualValue": "--service-account-lookup flag is set to false", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/service_account_name_undefined_or_empty/test/positive_expected_result.json b/assets/queries/k8s/service_account_name_undefined_or_empty/test/positive_expected_result.json index 31b58aadfee..3dd5c03127e 100644 --- a/assets/queries/k8s/service_account_name_undefined_or_empty/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_name_undefined_or_empty/test/positive_expected_result.json @@ -1,17 +1,41 @@ [ - { - "queryName": "Service Account Name Undefined Or Empty", - "severity": "MEDIUM", - "line": 6 - }, - { - "queryName": "Service Account Name Undefined Or Empty", - "severity": "MEDIUM", - "line": 28 - }, - { - "queryName": "Service Account Name Undefined Or Empty", - "severity": "MEDIUM", - "line": 58 - } + { + "queryName": "Service Account Name Undefined Or Empty", + "severity": "MEDIUM", + "line": 6, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "nginx.container", + "searchKey": "metadata.name={{nginx.container}}.spec", + "searchValue": "", + "expectedValue": "metadata.name=nginx.container.spec.serviceAccountName should be defined", + "actualValue": "metadata.name=nginx.container.spec.serviceAccountName is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Service Account Name Undefined Or Empty", + "severity": "MEDIUM", + "line": 28, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "nginx2.container.group", + "searchKey": "metadata.name={{nginx2.container.group}}.spec", + "searchValue": "", + "expectedValue": "metadata.name=nginx2.container.group.spec.serviceAccountName should be defined", + "actualValue": "metadata.name=nginx2.container.group.spec.serviceAccountName is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Service Account Name Undefined Or Empty", + "severity": "MEDIUM", + "line": 58, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "nginx3", + "searchKey": "metadata.name={{nginx3}}.spec.serviceAccountName", + "searchValue": "", + "expectedValue": "metadata.name=nginx3.spec.serviceAccountName should not be empty", + "actualValue": "metadata.name=nginx3.spec.serviceAccountName is empty", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/service_account_private_key_file_not_defined/test/positive_expected_result.json b/assets/queries/k8s/service_account_private_key_file_not_defined/test/positive_expected_result.json index 83a1aba8213..08b017f7974 100644 --- a/assets/queries/k8s/service_account_private_key_file_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_private_key_file_not_defined/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Service Account Private Key File Not Defined", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--service-account-private-key-file flag should be defined", + "actualValue": "--service-account-private-key-file flag is not defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/service_account_token_automount_not_disabled/test/positive_expected_result.json b/assets/queries/k8s/service_account_token_automount_not_disabled/test/positive_expected_result.json index e9846ad638f..c8c1e0e5514 100644 --- a/assets/queries/k8s/service_account_token_automount_not_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_token_automount_not_disabled/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo}}.spec.automountServiceAccountToken should be defined and set to false", + "actualValue": "metadata.name={{security-context-demo}}.spec.automountServiceAccountToken is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", "line": 28, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security.context.demo", + "searchKey": "metadata.name={{security.context.demo}}.spec.automountServiceAccountToken", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security.context.demo}}.spec.automountServiceAccountToken should be set to false", + "actualValue": "metadata.name={{security.context.demo}}.spec.automountServiceAccountToken is true", + "issueType": "IncorrectValue" }, { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", "line": 54, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.automountServiceAccountToken", + "searchValue": "Configuration", + "expectedValue": "metadata.name={{dummy-config}}.spec.template.spec.automountServiceAccountToken should be set to false", + "actualValue": "metadata.name={{dummy-config}}.spec.template.spec.automountServiceAccountToken is true", + "issueType": "IncorrectValue" }, { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "ServiceAccount", + "resourceName": "redistest-sa", + "searchKey": "metadata.name={{redistest-sa}}.automountServiceAccountToken", + "searchValue": "", + "expectedValue": "metadata.name={{redistest-sa}}.automountServiceAccountToken should be set to false", + "actualValue": "metadata.name={{redistest-sa}}.automountServiceAccountToken is true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json b/assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json index f4133656161..f2e25bd57a6 100644 --- a/assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json +++ b/assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Service Does Not Target Pod", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Service", + "resourceName": "helloworld2", + "searchKey": "metadata.name={{helloworld2}}.spec.selector", + "searchValue": "", + "expectedValue": "metadata.name={{helloworld2}}.spec.selector label refers to a Pod label", + "actualValue": "metadata.name={{helloworld2}}.spec.selector label does not match with any Pod label", + "issueType": "IncorrectValue" }, { "queryName": "Service Does Not Target Pod", "severity": "LOW", "line": 12, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Service", + "resourceName": "helloworld3", + "searchKey": "metadata.name={{helloworld3}}.spec.ports.port={{9377}}", + "searchValue": "", + "expectedValue": "metadata.name={{helloworld3}}.spec.ports.port={{9377}} has a Pod port", + "actualValue": "metadata.name={{helloworld3}}.spec.ports.port={{9377}} does not have a Pod port", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/service_type_is_nodeport/test/positive_expected_result.json b/assets/queries/k8s/service_type_is_nodeport/test/positive_expected_result.json index 83be0fdacda..7d1ec0305f8 100644 --- a/assets/queries/k8s/service_type_is_nodeport/test/positive_expected_result.json +++ b/assets/queries/k8s/service_type_is_nodeport/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "Service Type is NodePort", - "severity": "LOW", - "line": 6 - } + { + "queryName": "Service Type is NodePort", + "severity": "LOW", + "line": 6, + "filename": "positive.yaml", + "resourceType": "Service", + "resourceName": "my-service", + "searchKey": "metadata.name={{my-service}}.spec.type", + "searchValue": "", + "expectedValue": "spec.type should not be 'NodePort'", + "actualValue": "spec.type is 'NodePort'", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/service_with_external_load_balancer/test/positive_expected_result.json b/assets/queries/k8s/service_with_external_load_balancer/test/positive_expected_result.json index 952a4769b95..8a4064cabae 100644 --- a/assets/queries/k8s/service_with_external_load_balancer/test/positive_expected_result.json +++ b/assets/queries/k8s/service_with_external_load_balancer/test/positive_expected_result.json @@ -1,27 +1,67 @@ [ - { - "queryName": "Service With External Load Balancer", - "severity": "MEDIUM", - "line": 4 - }, { - "queryName": "Service With External Load Balancer", - "severity": "MEDIUM", - "line": 18 - }, + "queryName": "Service With External Load Balancer", + "severity": "MEDIUM", + "line": 4, + "filename": "positive.yaml", + "resourceType": "Service", + "resourceName": "sample-service 05", + "searchKey": "metadata.name={{sample-service 05}}", + "searchValue": "", + "expectedValue": "'metadata.annotations' should be set", + "actualValue": "'metadata.annotations' is undefined", + "issueType": "MissingAttribute" + }, { - "queryName": "Service With External Load Balancer", - "severity": "MEDIUM", - "line": 33 - }, + "queryName": "Service With External Load Balancer", + "severity": "MEDIUM", + "line": 18, + "filename": "positive.yaml", + "resourceType": "Service", + "resourceName": "sample-service 05334443", + "searchKey": "metadata.name={{sample-service 05334443}}.annotations", + "searchValue": "", + "expectedValue": "metadata.name={{sample-service 05334443}} using an external Load Balancer provider by cloud provider", + "actualValue": "metadata.name={{sample-service 05334443}} is exposing a workload, not using an external Load Balancer provider by cloud provider", + "issueType": "IncorrectValue" + }, { - "queryName": "Service With External Load Balancer", - "severity": "MEDIUM", - "line": 48 - }, + "queryName": "Service With External Load Balancer", + "severity": "MEDIUM", + "line": 33, + "filename": "positive.yaml", + "resourceType": "Service", + "resourceName": "sample-service 07", + "searchKey": "metadata.name={{sample-service 07}}.annotations", + "searchValue": "", + "expectedValue": "metadata.name={{sample-service 07}} using an external Load Balancer provider by cloud provider", + "actualValue": "metadata.name={{sample-service 07}} is exposing a workload, not using an external Load Balancer provider by cloud provider", + "issueType": "IncorrectValue" + }, { - "queryName": "Service With External Load Balancer", - "severity": "MEDIUM", - "line": 63 - } + "queryName": "Service With External Load Balancer", + "severity": "MEDIUM", + "line": 48, + "filename": "positive.yaml", + "resourceType": "Service", + "resourceName": "sample-service 08", + "searchKey": "metadata.name={{sample-service 08}}.annotations", + "searchValue": "", + "expectedValue": "metadata.name={{sample-service 08}} using an external Load Balancer provider by cloud provider", + "actualValue": "metadata.name={{sample-service 08}} is exposing a workload, not using an external Load Balancer provider by cloud provider", + "issueType": "IncorrectValue" + }, + { + "queryName": "Service With External Load Balancer", + "severity": "MEDIUM", + "line": 63, + "filename": "positive.yaml", + "resourceType": "Service", + "resourceName": "sample-service 09", + "searchKey": "metadata.name={{sample-service 09}}.annotations", + "searchValue": "", + "expectedValue": "metadata.name={{sample-service 09}} using an external Load Balancer provider by cloud provider", + "actualValue": "metadata.name={{sample-service 09}} is exposing a workload, not using an external Load Balancer provider by cloud provider", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/shared_host_ipc_namespace/test/positive_expected_result.json b/assets/queries/k8s/shared_host_ipc_namespace/test/positive_expected_result.json index 703d9dce2af..237de028992 100644 --- a/assets/queries/k8s/shared_host_ipc_namespace/test/positive_expected_result.json +++ b/assets/queries/k8s/shared_host_ipc_namespace/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Shared Host IPC Namespace", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive.yaml" - }, - { - "queryName": "Shared Host IPC Namespace", - "severity": "MEDIUM", - "line": 9, - "fileName": "positive2.yaml" - } + { + "queryName": "Shared Host IPC Namespace", + "severity": "MEDIUM", + "line": 6, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.hostIPC", + "searchValue": "", + "expectedValue": "'spec.hostIPC' should be set to false or undefined", + "actualValue": "'spec.hostIPC' is true", + "issueType": "IncorrectValue" + }, + { + "queryName": "Shared Host IPC Namespace", + "severity": "MEDIUM", + "line": 9, + "filename": "positive2.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.hostIPC", + "searchValue": "", + "expectedValue": "'spec.template.spec.hostIPC' should be set to false or undefined", + "actualValue": "'spec.template.spec.hostIPC' is true", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/shared_host_network_namespace/test/positive_expected_result.json b/assets/queries/k8s/shared_host_network_namespace/test/positive_expected_result.json index e7e02ec1826..77040526e0a 100644 --- a/assets/queries/k8s/shared_host_network_namespace/test/positive_expected_result.json +++ b/assets/queries/k8s/shared_host_network_namespace/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Shared Host Network Namespace", "severity": "MEDIUM", "line": 6, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.hostNetwork", + "searchValue": "", + "expectedValue": "'spec.hostNetwork' should be set to false or undefined", + "actualValue": "'spec.hostNetwork' is true", + "issueType": "IncorrectValue" }, { "queryName": "Shared Host Network Namespace", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.hostNetwork", + "searchValue": "", + "expectedValue": "'spec.template.spec.hostNetwork' should be set to false or undefined", + "actualValue": "'spec.template.spec.hostNetwork' is true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/shared_host_pid_namespace/test/positive_expected_result.json b/assets/queries/k8s/shared_host_pid_namespace/test/positive_expected_result.json index 82c58726498..10b40b54953 100644 --- a/assets/queries/k8s/shared_host_pid_namespace/test/positive_expected_result.json +++ b/assets/queries/k8s/shared_host_pid_namespace/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Shared Host PID Namespace", "severity": "HIGH", "line": 6, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.hostPID", + "searchValue": "", + "expectedValue": "'spec.hostPID' should be set to false or undefined", + "actualValue": "'spec.hostPID' is true", + "issueType": "IncorrectValue" }, { "queryName": "Shared Host PID Namespace", "severity": "HIGH", "line": 9, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.hostPID", + "searchValue": "", + "expectedValue": "'spec.template.spec.hostPID' should be set to false or undefined", + "actualValue": "'spec.template.spec.hostPID' is true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/shared_service_account/test/positive_expected_result.json b/assets/queries/k8s/shared_service_account/test/positive_expected_result.json index 0ac068bac66..bd097d53573 100644 --- a/assets/queries/k8s/shared_service_account/test/positive_expected_result.json +++ b/assets/queries/k8s/shared_service_account/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ - { - "queryName": "Shared Service Account", - "severity": "MEDIUM", - "line": 6 - }, - { - "queryName": "Shared Service Account", - "severity": "MEDIUM", - "line": 16 - } + { + "queryName": "Shared Service Account", + "severity": "MEDIUM", + "line": 6, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "pod1", + "searchKey": "metadata.name={{pod1}}.spec.serviceAccountName", + "searchValue": "", + "expectedValue": "'spec.serviceAccountName' should not be shared with other workloads", + "actualValue": "'spec.serviceAccountName' is shared with other workloads", + "issueType": "IncorrectValue" + }, + { + "queryName": "Shared Service Account", + "severity": "MEDIUM", + "line": 16, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "pod2", + "searchKey": "metadata.name={{pod2}}.spec.serviceAccountName", + "searchValue": "", + "expectedValue": "'spec.serviceAccountName' should not be shared with other workloads", + "actualValue": "'spec.serviceAccountName' is shared with other workloads", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/test/positive_expected_result.json b/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/test/positive_expected_result.json index 7dc6662744b..ef88cbf0a09 100644 --- a/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/test/positive_expected_result.json +++ b/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ - { - "queryName": "StatefulSet Has No PodAntiAffinity", - "severity": "LOW", - "line": 23 - }, - { - "queryName": "StatefulSet Has No PodAntiAffinity", - "severity": "LOW", - "line": 53 - } + { + "queryName": "StatefulSet Has No PodAntiAffinity", + "severity": "LOW", + "line": 23, + "filename": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "zk-mismatch", + "searchKey": "metadata.name={{zk-mismatch}}.spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution.labelSelector.matchLabels", + "searchValue": "", + "expectedValue": "'spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels' match any label on template metadata", + "actualValue": "'spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels' don't match any label on template metadata", + "issueType": "IncorrectValue" + }, + { + "queryName": "StatefulSet Has No PodAntiAffinity", + "severity": "LOW", + "line": 53, + "filename": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "zk-noaffinity", + "searchKey": "metadata.name={{zk-noaffinity}}.spec.template.spec.affinity", + "searchValue": "", + "expectedValue": "'spec.template.spec.affinity.podAntiAffinity' should be set", + "actualValue": "'spec.template.spec.affinity.podAntiAffinity' is undefined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/statefulset_requests_storage/test/positive_expected_result.json b/assets/queries/k8s/statefulset_requests_storage/test/positive_expected_result.json index 4e60ad9727d..155c90c2a7a 100644 --- a/assets/queries/k8s/statefulset_requests_storage/test/positive_expected_result.json +++ b/assets/queries/k8s/statefulset_requests_storage/test/positive_expected_result.json @@ -1,17 +1,41 @@ [ - { - "queryName": "StatefulSet Requests Storage", - "severity": "LOW", - "line": 33 - }, - { - "queryName": "StatefulSet Requests Storage", - "severity": "LOW", - "line": 66 - }, - { - "queryName": "StatefulSet Requests Storage", - "severity": "LOW", - "line": 73 - } + { + "queryName": "StatefulSet Requests Storage", + "severity": "LOW", + "line": 33, + "filename": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "web", + "searchKey": "metadata.name={{web}}.spec.volumeClaimTemplates.spec.resources.requests.storage=1Gi", + "searchValue": "", + "expectedValue": "metadata.name={{web}}.spec.volumeClaimTemplates.spec.resources.requests.storage should not be set", + "actualValue": "metadata.name={{web}}.spec.volumeClaimTemplates.spec.resources.requests.storage is set to 1Gi", + "issueType": "IncorrectValue" + }, + { + "queryName": "StatefulSet Requests Storage", + "severity": "LOW", + "line": 66, + "filename": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "web2", + "searchKey": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage=1Gi", + "searchValue": "", + "expectedValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage should not be set", + "actualValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage is set to 1Gi", + "issueType": "IncorrectValue" + }, + { + "queryName": "StatefulSet Requests Storage", + "severity": "LOW", + "line": 73, + "filename": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "web2", + "searchKey": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage=2Gi", + "searchValue": "", + "expectedValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage should not be set", + "actualValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage is set to 2Gi", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/statefulset_without_pod_disruption_budget/test/positive_expected_result.json b/assets/queries/k8s/statefulset_without_pod_disruption_budget/test/positive_expected_result.json index fd1b1bf0c83..bbaadccd4d2 100644 --- a/assets/queries/k8s/statefulset_without_pod_disruption_budget/test/positive_expected_result.json +++ b/assets/queries/k8s/statefulset_without_pod_disruption_budget/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "StatefulSet Without PodDisruptionBudget", "severity": "LOW", - "line": 19 + "line": 19, + "filename": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "web", + "searchKey": "metadata.name={{web}}.spec.selector.matchLabels", + "searchValue": "", + "expectedValue": "metadata.name=web is targeted by a PodDisruptionBudget", + "actualValue": "metadata.name=web is not targeted by a PodDisruptionBudget", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/k8s/statefulset_without_service_name/test/positive_expected_result.json b/assets/queries/k8s/statefulset_without_service_name/test/positive_expected_result.json index 218b390f04b..c3883bbfb40 100644 --- a/assets/queries/k8s/statefulset_without_service_name/test/positive_expected_result.json +++ b/assets/queries/k8s/statefulset_without_service_name/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "StatefulSet Without Service Name", "severity": "LOW", - "line": 26 + "line": 26, + "filename": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "web", + "searchKey": "metadata.name=web.spec.serviceName", + "searchValue": "", + "expectedValue": "metadata.name=web.spec.serviceName should refer to a Headless Service", + "actualValue": "metadata.name=web.spec.serviceName doesn't refers to a Headless Service", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/test/positive_expected_result.json index 8d16690b939..551cd775df4 100644 --- a/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Terminated Pod Garbage Collector Threshold Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Terminated Pod Garbage Collector Threshold Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.yaml" - } + { + "queryName": "Terminated Pod Garbage Collector Threshold Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--terminated-pod-gc-threshold flag should be set between 0 and 12501", + "actualValue": "--terminated-pod-gc-threshold flag is set to a incorrect value", + "issueType": "IncorrectValue" + }, + { + "queryName": "Terminated Pod Garbage Collector Threshold Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--terminated-pod-gc-threshold flag should be set between 0 and 12501", + "actualValue": "--terminated-pod-gc-threshold flag is set to a incorrect value", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/test/positive_expected_result.json b/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/test/positive_expected_result.json index aa5e9b5b2e6..4ac2c3a103e 100644 --- a/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/test/positive_expected_result.json +++ b/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ - { - "queryName": "Tiller Deployment Is Accessible From Within The Cluster", - "severity": "HIGH", - "line": 21 - }, - { - "queryName": "Tiller Deployment Is Accessible From Within The Cluster", - "severity": "HIGH", - "line": 53 - } + { + "queryName": "Tiller Deployment Is Accessible From Within The Cluster", + "severity": "HIGH", + "line": 21, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "tiller-bad-args", + "searchKey": "metadata.name=tiller-bad-args.spec.template.spec.containers.args", + "searchValue": "", + "expectedValue": "'spec.template.spec.containers[tiller-v2].args' sets the container to listen to localhost", + "actualValue": "'spec.template.spec.containers[tiller-v2].args' is not setting the container to listen to localhost", + "issueType": "IncorrectValue" + }, + { + "queryName": "Tiller Deployment Is Accessible From Within The Cluster", + "severity": "HIGH", + "line": 53, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "tiller-deploy-no-args", + "searchKey": "metadata.name=tiller-deploy-no-args.spec.template.spec.containers", + "searchValue": "", + "expectedValue": "'spec.template.spec.containers[tiller-v2].args' should be set", + "actualValue": "'spec.template.spec.containers[tiller-v2].args' is undefined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/k8s/tiller_is_deployed/query.rego b/assets/queries/k8s/tiller_is_deployed/query.rego index 679d520784f..8409c66b3b5 100644 --- a/assets/queries/k8s/tiller_is_deployed/query.rego +++ b/assets/queries/k8s/tiller_is_deployed/query.rego @@ -19,7 +19,7 @@ CxPolicy[result] { "searchValue": document.kind, # multiple kind can match the same rule "keyExpectedValue": sprintf("'metadata' of %s should not refer to any Tiller resource", [document.kind]), "keyActualValue": sprintf("'metadata' of %s refers to a Tiller resource", [document.kind]), - "searchLine": commonLib.build_search_line(["metadata"],[]), + "searchLine": commonLib.build_search_line(["metadata", "name"],[]), } } diff --git a/assets/queries/k8s/tiller_is_deployed/test/positive_expected_result.json b/assets/queries/k8s/tiller_is_deployed/test/positive_expected_result.json index cbf0d880650..1fa902013b0 100644 --- a/assets/queries/k8s/tiller_is_deployed/test/positive_expected_result.json +++ b/assets/queries/k8s/tiller_is_deployed/test/positive_expected_result.json @@ -1,23 +1,54 @@ [ - { - "queryName": "Tiller (Helm v2) Is Deployed", - "severity": "HIGH", - "line": 4 - }, - { - "queryName": "Tiller (Helm v2) Is Deployed", - "severity": "HIGH", - "line": 10 - }, - { - "queryName": "Tiller (Helm v2) Is Deployed", - "severity": "HIGH", - "line": 15 - }, - { - "queryName": "Tiller (Helm v2) Is Deployed", - "severity": "HIGH", - "line": 20 - } - + { + "queryName": "Tiller (Helm v2) Is Deployed", + "severity": "HIGH", + "line": 8, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "tiller-deploy", + "searchKey": "metadata.name={{tiller-deploy}}", + "searchValue": "Deployment", + "expectedValue": "'metadata' of Deployment should not refer to any Tiller resource", + "actualValue": "'metadata' of Deployment refers to a Tiller resource", + "issueType": "IncorrectValue" + }, + { + "queryName": "Tiller (Helm v2) Is Deployed", + "severity": "HIGH", + "line": 10, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "tiller-deploy", + "searchKey": "metadata.name={{tiller-deploy}}.spec.containers", + "searchValue": "Deployment", + "expectedValue": "'spec.containers' of Deployment shouldn't have any Tiller containers", + "actualValue": "'spec.containers' of Deployment contains a Tiller container", + "issueType": "IncorrectValue" + }, + { + "queryName": "Tiller (Helm v2) Is Deployed", + "severity": "HIGH", + "line": 15, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "tiller-deploy", + "searchKey": "metadata.name={{tiller-deploy}}.spec.template.metadata", + "searchValue": "Deployment", + "expectedValue": "'spec.template.metadata' should not refer to any Tiller resource%!(EXTRA string=Deployment)", + "actualValue": "'spec.template.metadata' refers to a Tiller resource%!(EXTRA string=Deployment)", + "issueType": "IncorrectValue" + }, + { + "queryName": "Tiller (Helm v2) Is Deployed", + "severity": "HIGH", + "line": 20, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "tiller-deploy", + "searchKey": "metadata.name={{tiller-deploy}}.spec.template.spec.containers", + "searchValue": "Deployment", + "expectedValue": "'spec.template.spec.containers' of Deployment shouldn't have any Tiller containers", + "actualValue": "'spec.template.spec.containers' of Deployment contains a Tiller container", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/tiller_service_is_not_deleted/test/positive_expected_result.json b/assets/queries/k8s/tiller_service_is_not_deleted/test/positive_expected_result.json index d1f4f0d303e..49d2818fe7e 100644 --- a/assets/queries/k8s/tiller_service_is_not_deleted/test/positive_expected_result.json +++ b/assets/queries/k8s/tiller_service_is_not_deleted/test/positive_expected_result.json @@ -1,17 +1,41 @@ [ - { - "queryName": "Tiller Service Is Not Deleted", - "severity": "HIGH", - "line": 4 - }, - { - "queryName": "Tiller Service Is Not Deleted", - "severity": "HIGH", - "line": 7 - }, - { - "queryName": "Tiller Service Is Not Deleted", - "severity": "HIGH", - "line": 12 - } + { + "queryName": "Tiller Service Is Not Deleted", + "severity": "HIGH", + "line": 4, + "filename": "positive.yaml", + "resourceType": "Service", + "resourceName": "tiller-deploy", + "searchKey": "metadata.name={{tiller-deploy}}", + "searchValue": "Service", + "expectedValue": "metadata.name of Service should not contain 'tiller'", + "actualValue": "metadata.name of Service contains 'tiller'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Tiller Service Is Not Deleted", + "severity": "HIGH", + "line": 7, + "filename": "positive.yaml", + "resourceType": "Service", + "resourceName": "tiller-deploy", + "searchKey": "metadata.name={{tiller-deploy}}", + "searchValue": "Service", + "expectedValue": "metadata.labels of Service should not have values that contain 'tiller'", + "actualValue": "metadata.labels.Service of name contains 'tiller'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Tiller Service Is Not Deleted", + "severity": "HIGH", + "line": 12, + "filename": "positive.yaml", + "resourceType": "Service", + "resourceName": "tiller-deploy", + "searchKey": "metadata.name={{tiller-deploy}}.spec.selector.name", + "searchValue": "Service", + "expectedValue": "spec.selector of Service should not have values that contain 'tiller'", + "actualValue": "spec.selector.Service of name contains 'tiller'", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json b/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json index 6d46ad24a64..7d92097a8c3 100644 --- a/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json +++ b/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "TSL Connection Certificate Not Setup", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "--tls-cert-file", + "expectedValue": "TLS --tls-cert-file connection setting should be set", + "actualValue": "TLS --tls-cert-file connection not set", + "issueType": "MissingAttribute" }, { "queryName": "TSL Connection Certificate Not Setup", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "--tls-private-key-file", + "expectedValue": "TLS --tls-private-key-file connection setting should be set", + "actualValue": "TLS --tls-private-key-file connection not set", + "issueType": "MissingAttribute" }, { "queryName": "TSL Connection Certificate Not Setup", "severity": "MEDIUM", "line": 2, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "tlsCertFile", + "expectedValue": "TLS tlsCertFile connection setting should be set", + "actualValue": "TLS tlsCertFile connection not set", + "issueType": "MissingAttribute" }, { "queryName": "TSL Connection Certificate Not Setup", "severity": "MEDIUM", "line": 2, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "tlsPrivateKeyFile", + "expectedValue": "TLS tlsPrivateKeyFile connection setting should be set", + "actualValue": "TLS tlsPrivateKeyFile connection not set", + "issueType": "MissingAttribute" }, { "queryName": "TSL Connection Certificate Not Setup", "severity": "MEDIUM", "line": 2, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "tlsPrivateKeyFile", + "expectedValue": "TLS tlsPrivateKeyFile connection setting should be set", + "actualValue": "TLS tlsPrivateKeyFile connection not set", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/k8s/token_auth_file_is_set/test/positive_expected_result.json b/assets/queries/k8s/token_auth_file_is_set/test/positive_expected_result.json index 5c25b795c94..eeb10a51b6b 100644 --- a/assets/queries/k8s/token_auth_file_is_set/test/positive_expected_result.json +++ b/assets/queries/k8s/token_auth_file_is_set/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Token Auth File Is Set", "severity": "HIGH", "line": 11, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--token-auth-file flag should not be set", + "actualValue": "--token-auth-file flag is set", + "issueType": "IncorrectValue" }, { "queryName": "Token Auth File Is Set", "severity": "HIGH", "line": 11, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--token-auth-file flag should not be set", + "actualValue": "--token-auth-file flag is set", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/use_service_account_credentials_not_set_to_true/test/positive_expected_result.json b/assets/queries/k8s/use_service_account_credentials_not_set_to_true/test/positive_expected_result.json index 5d48942e668..525ec8c58dc 100644 --- a/assets/queries/k8s/use_service_account_credentials_not_set_to_true/test/positive_expected_result.json +++ b/assets/queries/k8s/use_service_account_credentials_not_set_to_true/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Use Service Account Credentials Not Set To True", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--use-service-account-credentials flag should be set to true", + "actualValue": "--use-service-account-credentials flag is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Use Service Account Credentials Not Set To True", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--use-service-account-credentials flag should be defined and set to true", + "actualValue": "--use-service-account-credentials flag is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/using_kubernetes_native_secret_management/test/positive_expected_result.json b/assets/queries/k8s/using_kubernetes_native_secret_management/test/positive_expected_result.json index 3f40317c868..639745ba31d 100644 --- a/assets/queries/k8s/using_kubernetes_native_secret_management/test/positive_expected_result.json +++ b/assets/queries/k8s/using_kubernetes_native_secret_management/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Using Kubernetes Native Secret Management", "severity": "INFO", "line": 4, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Secret", + "resourceName": "cluster-secrets", + "searchKey": "metadata.name={{cluster-secrets}}", + "searchValue": "", + "expectedValue": "External secret storage should be used", + "actualValue": "External secret storage is not in use", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json b/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json index 08c4f42f9fd..fec5611be06 100644 --- a/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json +++ b/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "Using Unrecommended Namespace", "severity": "MEDIUM", "line": 5, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.namespace", + "searchValue": "Pod", + "expectedValue": "'metadata.namespace' should not be set to default, kube-system or kube-public", + "actualValue": "'metadata.namespace' is set to default", + "issueType": "IncorrectValue" }, { "queryName": "Using Unrecommended Namespace", "severity": "MEDIUM", "line": 4, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "frontend2", + "searchKey": "kind={{Pod}}.metadata.name={{frontend2}}", + "searchValue": "Pod", + "expectedValue": "metadata.namespace should be defined and not null", + "actualValue": "metadata.namespace is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Using Unrecommended Namespace", "severity": "MEDIUM", "line": 5, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "mongo.db.collection.com", + "searchKey": "metadata.name={{mongo.db.collection.com}}.namespace", + "searchValue": "Pod", + "expectedValue": "'metadata.namespace' should not be set to default, kube-system or kube-public", + "actualValue": "'metadata.namespace' is set to kube-public", + "issueType": "IncorrectValue" }, { "queryName": "Using Unrecommended Namespace", "severity": "MEDIUM", "line": 5, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "mongo.db.collection.com", + "searchKey": "metadata.name={{mongo.db.collection.com}}.namespace", + "searchValue": "Pod", + "expectedValue": "'metadata.namespace' should not be set to default, kube-system or kube-public", + "actualValue": "'metadata.namespace' is set to kube-system", + "issueType": "IncorrectValue" }, { "queryName": "Using Unrecommended Namespace", "severity": "MEDIUM", "line": 5, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.namespace", + "searchValue": "Configuration", + "expectedValue": "'metadata.namespace' should not be set to default, kube-system or kube-public", + "actualValue": "'metadata.namespace' is set to default", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/query.rego b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/query.rego index 64cdd606528..6814e7cc074 100644 --- a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/query.rego +++ b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/query.rego @@ -29,7 +29,7 @@ CxPolicy[result] { "searchValue": sprintf("%s%s", [document.kind, type]), "keyExpectedValue": sprintf("The properties readOnly and recursiveReadOnly in metadata.name={{%s}}.%s.%s.name={{%s}}.volumeMounts.name={{%s}} are set to true and Enabled, respectively", [metadata.name, specInfo.path, types[x], container.name, volumeMounts[v].name]), "keyActualValue": sprintf("The properties readOnly or recursiveReadOnly in metadata.name={{%s}}.%s.%s.name={{%s}}.volumeMounts.name={{%s}} are set to false or Disabled, respectively", [metadata.name, specInfo.path, types[x], container.name, volumeMounts[v].name]), - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x],j, "volumeMounts", v]), + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x],j, "volumeMounts", v, "name"]), } } @@ -55,8 +55,8 @@ CxPolicy[result] { "issueType": "MissingAttribute", "searchValue": sprintf("%s%s", [document.kind, type]), "keyExpectedValue": sprintf("The properties readOnly and recursiveReadOnly in metadata.name={{%s}}.%s.%s.name={{%s}}.volumeMounts.name={{%s}} should be defined and set to true and Enabled, respectively", [metadata.name, specInfo.path, types[x], container.name, volumeMounts[v].name]), - "keyActualValue": sprintf("Either readOnly or recursiveReadOnly is missing in metadata.name={{%s}}.%s.%s.name={{%s}}.volumeMounts.name={{%s}}", [metadata.name, specInfo.path, types[x], container.name, volumeMounts[v].name, metadata.name, specInfo.path, types[x], container.name, volumeMounts[v].name]), - "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x],j, "volumeMounts", v]), + "keyActualValue": sprintf("Either readOnly or recursiveReadOnly is missing in metadata.name={{%s}}.%s.%s.name={{%s}}.volumeMounts.name={{%s}}", [metadata.name, specInfo.path, types[x], container.name, volumeMounts[v].name]), + "searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x],j, "volumeMounts", v, "name"]), } } diff --git a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json index 2882a804407..35e74dd64b0 100644 --- a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json @@ -2,61 +2,131 @@ { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 10, - "fileName": "positive1.yaml" + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-0", + "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}}", + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}}", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 12, - "fileName": "positive1.yaml" + "line": 13, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-0", + "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 12, - "fileName": "positive1.yaml" + "line": 13, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-0", + "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", + "searchValue": "PodrecursiveReadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 36, - "fileName": "positive1.yaml" + "line": 37, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-1", + "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}", + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 39, - "fileName": "positive1.yaml" + "line": 40, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-1", + "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}", + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 39, - "fileName": "positive1.yaml" + "line": 40, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-1", + "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}", + "searchValue": "PodrecursiveReadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 10, - "fileName": "positive2.yaml" + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "pod-0", + "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}}", + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}} are set to true and Enabled, respectively", + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}} are set to false or Disabled, respectively", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 14, - "fileName": "positive2.yaml" + "line": 15, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "pod-0", + "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 33, - "fileName": "positive2.yaml" + "line": 34, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "pod-1", + "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}", + "searchValue": "PodrecursiveReadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", - "line": 36, - "fileName": "positive2.yaml" + "line": 37, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "pod-1", + "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}", + "searchValue": "PodrecursiveReadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/weak_tls_cipher_suites/test/positive_expected_result.json b/assets/queries/k8s/weak_tls_cipher_suites/test/positive_expected_result.json index 4cf484c04f2..f9496076444 100644 --- a/assets/queries/k8s/weak_tls_cipher_suites/test/positive_expected_result.json +++ b/assets/queries/k8s/weak_tls_cipher_suites/test/positive_expected_result.json @@ -1,27 +1,54 @@ [ - { - "queryName": "Weak TLS Cipher Suites", - "severity": "MEDIUM", - "line": 11, - "filename": "positive1.yaml" - }, - { - "queryName": "Weak TLS Cipher Suites", - "severity": "MEDIUM", - "line": 11, - "filename": "positive2.yaml" - }, - { - "queryName": "Weak TLS Cipher Suites", - "severity": "MEDIUM", - "line": 9, - "filename": "positive3.yaml" - }, - { - "queryName": "Weak TLS Cipher Suites", - "severity": "MEDIUM", - "line": 2, - "filename": "positive4.json" - } - ] - \ No newline at end of file + { + "queryName": "Weak TLS Cipher Suites", + "severity": "MEDIUM", + "line": 11, + "filename": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "TLS cipher suites should use strong ciphers", + "actualValue": "TLS cipher suites uses a weak cipher", + "issueType": "IncorrectValue" + }, + { + "queryName": "Weak TLS Cipher Suites", + "severity": "MEDIUM", + "line": 11, + "filename": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "TLS cipher suites should use strong ciphers", + "actualValue": "TLS cipher suites uses a weak cipher", + "issueType": "IncorrectValue" + }, + { + "queryName": "Weak TLS Cipher Suites", + "severity": "MEDIUM", + "line": 9, + "filename": "positive3.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.tlsCipherSuites", + "searchValue": "", + "expectedValue": "TLS cipher suites should use strong ciphers", + "actualValue": "TLS cipher suites uses a weak cipher", + "issueType": "IncorrectValue" + }, + { + "queryName": "Weak TLS Cipher Suites", + "severity": "MEDIUM", + "line": 2, + "filename": "positive4.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "", + "expectedValue": "KubeletConfiguration should have 'tlsCipherSuites' attribute with strong ciphers defined", + "actualValue": "TLS cipher suites are not defined", + "issueType": "MissingAttribute" + } +] diff --git a/assets/queries/k8s/workload_host_port_not_specified/test/positive_expected_result.json b/assets/queries/k8s/workload_host_port_not_specified/test/positive_expected_result.json index 103391eb164..13ec0f8e57a 100644 --- a/assets/queries/k8s/workload_host_port_not_specified/test/positive_expected_result.json +++ b/assets/queries/k8s/workload_host_port_not_specified/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Workload Host Port Not Specified", "severity": "LOW", - "line": 9 + "line": 9, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "firstpod", + "searchKey": "metadata.name=firstpod.spec.containers.name=container.ports", + "searchValue": "", + "expectedValue": "spec[firstpod].containers[container].ports[10.0.0.1].hostPort should not be defined", + "actualValue": "spec[firstpod].containers[container].ports[10.0.0.1].hostPort is defined", + "issueType": "IncorrectValue" }, { "queryName": "Workload Host Port Not Specified", "severity": "LOW", - "line": 24 + "line": 24, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "secondpod", + "searchKey": "metadata.name=secondpod.spec.template.spec.containers.name=container2.ports", + "searchValue": "", + "expectedValue": "spec[secondpod].template.spec.containers[container2].ports[10.0.0.2].hostPort should not be defined", + "actualValue": "spec[secondpod].template.spec.containers[container2].ports[10.0.0.2].hostPort is defined", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json b/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json index 459bc1f3e8a..d389dd00e09 100644 --- a/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json +++ b/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json @@ -2,66 +2,170 @@ { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 66 + "line": 66, + "filename": "positive.yaml", + "resourceType": "DaemonSet", + "resourceName": "exporter-prometheus-node-exporter", + "searchKey": "metadata.name={{exporter-prometheus-node-exporter}}.spec.template.spec.volumes.name={{proc}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' should not mount a host sensitive OS directory '/proc' with hostPath", + "actualValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' is mounting a host sensitive OS directory '/proc' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 112 + "line": 70, + "filename": "positive.yaml", + "resourceType": "DaemonSet", + "resourceName": "exporter-prometheus-node-exporter", + "searchKey": "metadata.name={{exporter-prometheus-node-exporter}}.spec.template.spec.volumes.name={{sys}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' should not mount a host sensitive OS directory '/sys' with hostPath", + "actualValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' is mounting a host sensitive OS directory '/sys' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 115 + "line": 112, + "filename": "positive.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "metadata.name={{fluentd-elasticsearch}}.spec.template.spec.volumes.name={{varlog}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'fluentd-elasticsearch' of kind 'DaemonSet' should not mount a host sensitive OS directory '/var/log' with hostPath", + "actualValue": "Workload name 'fluentd-elasticsearch' of kind 'DaemonSet' is mounting a host sensitive OS directory '/var/log' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 145 + "line": 115, + "filename": "positive.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "metadata.name={{fluentd-elasticsearch}}.spec.template.spec.volumes.name={{varlibdockercontainers}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'fluentd-elasticsearch' of kind 'DaemonSet' should not mount a host sensitive OS directory '/var/lib/docker/containers' with hostPath", + "actualValue": "Workload name 'fluentd-elasticsearch' of kind 'DaemonSet' is mounting a host sensitive OS directory '/var/lib/docker/containers' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 175 + "line": 145, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "metadata.name={{nginx-deployment}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'nginx-deployment' of kind 'Deployment' should not mount a host sensitive OS directory '/var/local/static' with hostPath", + "actualValue": "Workload name 'nginx-deployment' of kind 'Deployment' is mounting a host sensitive OS directory '/var/local/static' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 193 + "line": 175, + "filename": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment-undefined-ns", + "searchKey": "metadata.name={{nginx-deployment-undefined-ns}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'nginx-deployment-undefined-ns' of kind 'Deployment' should not mount a host sensitive OS directory '/root/local/static' with hostPath", + "actualValue": "Workload name 'nginx-deployment-undefined-ns' of kind 'Deployment' is mounting a host sensitive OS directory '/root/local/static' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 203 + "line": 193, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "redis-memcache", + "searchKey": "metadata.name={{redis-memcache}}.spec.volumes.name={{redis-storage}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'redis-memcache' of kind 'Pod' should not mount a host sensitive OS directory '/var/redis/data' with hostPath", + "actualValue": "Workload name 'redis-memcache' of kind 'Pod' is mounting a host sensitive OS directory '/var/redis/data' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 229 + "line": 203, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "web-server-pod", + "searchKey": "metadata.name={{web-server-pod}}.spec.volumes.name={{nginx-host-config}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'web-server-pod' of kind 'Pod' should not mount a host sensitive OS directory '/etc/nginx' with hostPath", + "actualValue": "Workload name 'web-server-pod' of kind 'Pod' is mounting a host sensitive OS directory '/etc/nginx' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 250 + "line": 229, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "malicious-pod", + "searchKey": "metadata.name={{malicious-pod}}.spec.volumes.name={{rootdir}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'malicious-pod' of kind 'Pod' should not mount a host sensitive OS directory '/' with hostPath", + "actualValue": "Workload name 'malicious-pod' of kind 'Pod' is mounting a host sensitive OS directory '/' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 265 + "line": 250, + "filename": "positive.yaml", + "resourceType": "Pod", + "resourceName": "dood", + "searchKey": "metadata.name={{dood}}.spec.volumes.name={{docker-sock}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'dood' of kind 'Pod' should not mount a host sensitive OS directory '/var/run' with hostPath", + "actualValue": "Workload name 'dood' of kind 'Pod' is mounting a host sensitive OS directory '/var/run' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 280 + "line": 265, + "filename": "positive.yaml", + "resourceType": "PersistentVolume", + "resourceName": "pv-001", + "searchKey": "metadata.name={{pv-001}}.spec.hostPath.path", + "searchValue": "", + "expectedValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' should not mount a host sensitive OS directory '/dev/tty1' with hostPath", + "actualValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' is mounting a host sensitive OS directory '/dev/tty1' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 70 + "line": 280, + "filename": "positive.yaml", + "resourceType": "PersistentVolume", + "resourceName": "pv-002", + "searchKey": "metadata.name={{pv-002}}.spec.hostPath.path", + "searchValue": "", + "expectedValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' should not mount a host sensitive OS directory '/boot' with hostPath", + "actualValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' is mounting a host sensitive OS directory '/boot' with hostPath", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 299 + "line": 299, + "filename": "positive.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.volumes.name={{rootdir}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'dummy-config' of kind 'Configuration' should not mount a host sensitive OS directory '/' with hostPath", + "actualValue": "Workload name 'dummy-config' of kind 'Configuration' is mounting a host sensitive OS directory '/' with hostPath", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/knative/serving_revision_spec_without_timeout_settings/test/positive_expected_result.json b/assets/queries/knative/serving_revision_spec_without_timeout_settings/test/positive_expected_result.json index 7186c53d487..53d5fa8a777 100644 --- a/assets/queries/knative/serving_revision_spec_without_timeout_settings/test/positive_expected_result.json +++ b/assets/queries/knative/serving_revision_spec_without_timeout_settings/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Serving Revision Spec Without Timeout Seconds", - "severity": "INFO", - "line": 7, - "fileName": "positive1.yaml" - }, - { - "queryName": "Serving Revision Spec Without Timeout Seconds", - "severity": "INFO", - "line": 42, - "fileName": "positive1.yaml" - } + { + "queryName": "Serving Revision Spec Without Timeout Seconds", + "severity": "INFO", + "line": 7, + "filename": "positive1.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec", + "searchValue": "", + "expectedValue": "Service should have 'timeoutSeconds' defined in 'template.spec'", + "actualValue": "Service 'timeoutSeconds' is not defined in 'template.spec'", + "issueType": "MissingAttribute" + }, + { + "queryName": "Serving Revision Spec Without Timeout Seconds", + "severity": "INFO", + "line": 42, + "filename": "positive1.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec.timeoutSeconds", + "searchValue": "", + "expectedValue": "Service should have 'timeoutSeconds' defined to a value higher than '0'", + "actualValue": "Service 'timeoutSeconds' is set to '0'", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/openAPI/2.0/basepath_with_wrong_format/test/positive_expected_result.json b/assets/queries/openAPI/2.0/basepath_with_wrong_format/test/positive_expected_result.json index 02fa6c3cbbb..2682355a567 100644 --- a/assets/queries/openAPI/2.0/basepath_with_wrong_format/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/basepath_with_wrong_format/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "BasePath With Wrong Format", "severity": "INFO", "line": 7, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "basePath={{api/incorrect}}", + "searchValue": "", + "expectedValue": "'basePath' value matches the pattern '^/'", + "actualValue": "'basePath' value doesn't match the pattern '^/'", + "issueType": "IncorrectValue" }, { "queryName": "BasePath With Wrong Format", "severity": "INFO", "line": 5, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "basePath={{api/incorrect}}", + "searchValue": "", + "expectedValue": "'basePath' value matches the pattern '^/'", + "actualValue": "'basePath' value doesn't match the pattern '^/'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/test/positive_expected_result.json index a725ff6735c..9693951755e 100644 --- a/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Body Parameter With Wrong Property", "severity": "INFO", "line": 19, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.desc", + "searchValue": "", + "expectedValue": "{\"type\": \"string\"} is a valid property for body parameter", + "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter", + "issueType": "IncorrectValue" }, { "queryName": "Body Parameter With Wrong Property", "severity": "INFO", - "line": 30, - "filename": "positive2.yaml" + "line": 43, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.desc", + "searchValue": "", + "expectedValue": "{\"type\": \"string\"} is a valid property for body parameter", + "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter", + "issueType": "IncorrectValue" }, { "queryName": "Body Parameter With Wrong Property", "severity": "INFO", - "line": 43, - "filename": "positive1.json" + "line": 20, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.desc", + "searchValue": "", + "expectedValue": "{\"type\": \"string\"} is a valid property for body parameter", + "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter", + "issueType": "IncorrectValue" }, { "queryName": "Body Parameter With Wrong Property", "severity": "INFO", - "line": 20, - "filename": "positive2.yaml" + "line": 30, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.desc", + "searchValue": "", + "expectedValue": "{\"type\": \"string\"} is a valid property for body parameter", + "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/body_parameter_without_schema/test/positive_expected_result.json b/assets/queries/openAPI/2.0/body_parameter_without_schema/test/positive_expected_result.json index 9d10b7eb914..e1362f8c381 100644 --- a/assets/queries/openAPI/2.0/body_parameter_without_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/body_parameter_without_schema/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Body Parameter Without Schema", "severity": "INFO", "line": 12, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Body Parameter Without Schema", "severity": "INFO", - "line": 14, - "filename": "positive2.yaml" + "line": 30, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Body Parameter Without Schema", "severity": "INFO", - "line": 30, - "filename": "positive1.json" + "line": 14, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Body Parameter Without Schema", "severity": "INFO", "line": 20, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json index 0155d666dc8..bb6a22b4d1d 100644 --- a/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json @@ -2,49 +2,105 @@ { "queryName": "Constraining Enum Property", "severity": "INFO", - "line": 38, - "filename": "positive1.json" + "line": 24, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.$ref=#/definitions/Category", + "searchValue": "", + "expectedValue": "Type numeric should not have enum and constraining keywords", + "actualValue": "Type numeric has enum and minimum", + "issueType": "IncorrectValue" }, { "queryName": "Constraining Enum Property", "severity": "INFO", - "line": 49, - "filename": "positive1.json" + "line": 24, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.$ref=#/definitions/Category", + "searchValue": "", + "expectedValue": "Type string should not have enum and constraining keywords", + "actualValue": "Type string has enum and maxLength", + "issueType": "IncorrectValue" }, { "queryName": "Constraining Enum Property", "severity": "INFO", - "line": 24, - "filename": "positive1.json" + "line": 38, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Category.properties.id.minimum", + "searchValue": "", + "expectedValue": "Type numeric should not have enum and constraining keywords", + "actualValue": "Type numeric has enum and minimum", + "issueType": "IncorrectValue" }, { "queryName": "Constraining Enum Property", "severity": "INFO", - "line": 24, - "filename": "positive1.json" + "line": 49, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Category.properties.name.maxLength", + "searchValue": "", + "expectedValue": "Type string should not have enum and constraining keywords", + "actualValue": "Type string has enum and maxLength", + "issueType": "IncorrectValue" }, { "queryName": "Constraining Enum Property", "severity": "INFO", - "line": 27, - "filename": "positive2.yaml" + "line": 19, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.$ref=#/definitions/Category", + "searchValue": "", + "expectedValue": "Type numeric should not have enum and constraining keywords", + "actualValue": "Type numeric has enum and minimum", + "issueType": "IncorrectValue" }, { "queryName": "Constraining Enum Property", "severity": "INFO", - "line": 36, - "filename": "positive2.yaml" + "line": 19, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.$ref=#/definitions/Category", + "searchValue": "", + "expectedValue": "Type string should not have enum and constraining keywords", + "actualValue": "Type string has enum and maxLength", + "issueType": "IncorrectValue" }, { "queryName": "Constraining Enum Property", "severity": "INFO", - "line": 19, - "filename": "positive2.yaml" + "line": 27, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Category.properties.id.minimum", + "searchValue": "", + "expectedValue": "Type numeric should not have enum and constraining keywords", + "actualValue": "Type numeric has enum and minimum", + "issueType": "IncorrectValue" }, { "queryName": "Constraining Enum Property", "severity": "INFO", - "line": 19, - "filename": "positive2.yaml" + "line": 36, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Category.properties.name.maxLength", + "searchValue": "", + "expectedValue": "Type string should not have enum and constraining keywords", + "actualValue": "Type string has enum and maxLength", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/test/positive_expected_result.json index 691824aa1f4..75937285f43 100644 --- a/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "File Parameter With Wrong Consumes Property", "severity": "INFO", "line": 12, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "Operation or global 'consumes' field should have declared 'multipart/form-data', 'application/x-www-form-urlencoded' or both when there is a file type parameter", + "actualValue": "Operation or global 'consumes' field doesn't have declared 'multipart/form-data', 'application/x-www-form-urlencoded' or both when there is a file type parameter", + "issueType": "IncorrectValue" }, { "queryName": "File Parameter With Wrong Consumes Property", "severity": "INFO", "line": 10, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "Operation or global 'consumes' field should have declared 'multipart/form-data', 'application/x-www-form-urlencoded' or both when there is a file type parameter", + "actualValue": "Operation or global 'consumes' field doesn't have declared 'multipart/form-data', 'application/x-www-form-urlencoded' or both when there is a file type parameter", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/global_schemes_uses_http/test/positive_expected_result.json b/assets/queries/openAPI/2.0/global_schemes_uses_http/test/positive_expected_result.json index 32928065dce..f7384b7903b 100644 --- a/assets/queries/openAPI/2.0/global_schemes_uses_http/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/global_schemes_uses_http/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Global Schemes Uses HTTP", "severity": "MEDIUM", "line": 8, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "schemes.http", + "searchValue": "", + "expectedValue": "The Scheme list uses only 'HTTPS' protocol", + "actualValue": "The Scheme list uses 'HTTP' protocol", + "issueType": "IncorrectValue" }, { "queryName": "Global Schemes Uses HTTP", "severity": "MEDIUM", "line": 6, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "schemes.http", + "searchValue": "", + "expectedValue": "The Scheme list uses only 'HTTPS' protocol", + "actualValue": "The Scheme list uses 'HTTP' protocol", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/global_security_using_password_flow/test/positive_expected_result.json b/assets/queries/openAPI/2.0/global_security_using_password_flow/test/positive_expected_result.json index 112159fbaea..53cc01b345c 100644 --- a/assets/queries/openAPI/2.0/global_security_using_password_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/global_security_using_password_flow/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Global Security Using Password Flow", "severity": "MEDIUM", "line": 33, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "'security' should not be using 'password' flow in OAuth2 authentication", + "actualValue": "'security' is using 'password' flow in OAuth2 authentication", + "issueType": "IncorrectValue" }, { "queryName": "Global Security Using Password Flow", "severity": "MEDIUM", "line": 22, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "'security' should not be using 'password' flow in OAuth2 authentication", + "actualValue": "'security' is using 'password' flow in OAuth2 authentication", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/host_with_invalid_pattern/test/positive_expected_result.json b/assets/queries/openAPI/2.0/host_with_invalid_pattern/test/positive_expected_result.json index dd1b9779a6d..06de4298cc2 100644 --- a/assets/queries/openAPI/2.0/host_with_invalid_pattern/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/host_with_invalid_pattern/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Host With Invalid Pattern", "severity": "INFO", "line": 7, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "host", + "searchValue": "", + "expectedValue": "Host should be a valid name or IP", + "actualValue": "kics.io/test is not valid IP or name", + "issueType": "IncorrectValue" }, { "queryName": "Host With Invalid Pattern", "severity": "INFO", "line": 6, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "host", + "searchValue": "", + "expectedValue": "Host should be a valid name or IP", + "actualValue": "kics.io/test is not valid IP or name", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/implicit_flow_oauth2/test/positive_expected_result.json b/assets/queries/openAPI/2.0/implicit_flow_oauth2/test/positive_expected_result.json index 04cc86c6670..4eb32fbae22 100644 --- a/assets/queries/openAPI/2.0/implicit_flow_oauth2/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/implicit_flow_oauth2/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Implicit Flow in OAuth2 (v2)", "severity": "MEDIUM", "line": 27, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.oAuth2AuthCodeNeg2.flow=implicit", + "searchValue": "", + "expectedValue": "OAuth2 security definitions flow should not use implicit flow", + "actualValue": "OAuth2 security definitions flow is using implicit flow", + "issueType": "IncorrectValue" }, { "queryName": "Implicit Flow in OAuth2 (v2)", "severity": "MEDIUM", "line": 19, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.oAuth2AuthCodeNeg2.flow=implicit", + "searchValue": "", + "expectedValue": "OAuth2 security definitions flow should not use implicit flow", + "actualValue": "OAuth2 security definitions flow is using implicit flow", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/invalid_media_type_value/test/positive_expected_result.json b/assets/queries/openAPI/2.0/invalid_media_type_value/test/positive_expected_result.json index 45a2f1271e1..9322a056571 100644 --- a/assets/queries/openAPI/2.0/invalid_media_type_value/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/invalid_media_type_value/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Invalid Media Type Value (v2)", "severity": "INFO", "line": 11, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.produces.image/ png", + "searchValue": "", + "expectedValue": "The Media Type should be a valid value", + "actualValue": "The Media Type is a invalid value", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Media Type Value (v2)", "severity": "INFO", "line": 16, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.consumes.application/ x-www-form-urlencoded", + "searchValue": "", + "expectedValue": "The Media Type should be a valid value", + "actualValue": "The Media Type is a invalid value", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Media Type Value (v2)", "severity": "INFO", "line": 14, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.produces.image/ png", + "searchValue": "", + "expectedValue": "The Media Type should be a valid value", + "actualValue": "The Media Type is a invalid value", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Media Type Value (v2)", "severity": "INFO", "line": 18, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.consumes.application/ x-www-form-urlencoded", + "searchValue": "", + "expectedValue": "The Media Type should be a valid value", + "actualValue": "The Media Type is a invalid value", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/invalid_oauth2_token_url/test/positive_expected_result.json b/assets/queries/openAPI/2.0/invalid_oauth2_token_url/test/positive_expected_result.json index 083b754fcf3..f8a20c131d5 100644 --- a/assets/queries/openAPI/2.0/invalid_oauth2_token_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/invalid_oauth2_token_url/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Invalid OAuth2 Token URL (v2)", "severity": "MEDIUM", "line": 22, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.oAuth2AuthCodeNeg3.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security definition flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security definition flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Token URL (v2)", "severity": "MEDIUM", "line": 30, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.oAuth2AuthCodeNeg3.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security definition flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security definition flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/test/positive_expected_result.json b/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/test/positive_expected_result.json index b1c9a0d9c05..bfda648e57b 100644 --- a/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Invalid OAuth2 Authorization URL (v2)", "severity": "MEDIUM", "line": 19, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.api_key.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Authorization URL (v2)", "severity": "MEDIUM", "line": 23, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.petstore_auth.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Authorization URL (v2)", "severity": "MEDIUM", "line": 27, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.api_key.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Authorization URL (v2)", "severity": "MEDIUM", "line": 32, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.petstore_auth.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json b/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json index 9bb4d0d4a08..23e67efdc55 100644 --- a/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Parameter JSON Reference Does Not Exist (v2)", "severity": "INFO", "line": 19, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.$ref={{#/parameters/maxParam}}", + "searchValue": "", + "expectedValue": "maxParam from #/parameters/maxParam should be declared on parameters", + "actualValue": "maxParam from #/parameters/maxParam is not declared on parameters", + "issueType": "MissingAttribute" }, { "queryName": "Parameter JSON Reference Does Not Exist (v2)", "severity": "INFO", "line": 14, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.$ref={{#/parameters/maxParam}}", + "searchValue": "", + "expectedValue": "maxParam from #/parameters/maxParam should be declared on parameters", + "actualValue": "maxParam from #/parameters/maxParam is not declared on parameters", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/test/positive_expected_result.json b/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/test/positive_expected_result.json index 57036f1a305..cafede0aefa 100644 --- a/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Responses JSON Reference Does Not Exists (v2)", "severity": "INFO", "line": 14, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/responses/Succes", + "searchValue": "", + "expectedValue": "Succes from #/responses/Succes should be declared on responses", + "actualValue": "Succes from #/responses/Succes is not declared on responses", + "issueType": "MissingAttribute" }, { "queryName": "Responses JSON Reference Does Not Exists (v2)", "severity": "INFO", "line": 12, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/responses/Succes", + "searchValue": "", + "expectedValue": "Succes from #/responses/Succes should be declared on responses", + "actualValue": "Succes from #/responses/Succes is not declared on responses", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/test/positive_expected_result.json b/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/test/positive_expected_result.json index 2220c2b21ec..95b83b18172 100644 --- a/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Schema JSON Reference Does Not Exist (v2)", "severity": "INFO", "line": 15, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.$ref=#/definitions/Use", + "searchValue": "", + "expectedValue": "Use from #/definitions/Use should be declared on definitions", + "actualValue": "Use from #/definitions/Use is not declared on definitions", + "issueType": "MissingAttribute" }, { "queryName": "Schema JSON Reference Does Not Exist (v2)", "severity": "INFO", "line": 14, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.$ref=#/definitions/Use", + "searchValue": "", + "expectedValue": "Use from #/definitions/Use should be declared on definitions", + "actualValue": "Use from #/definitions/Use is not declared on definitions", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/test/positive_expected_result.json b/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/test/positive_expected_result.json index f6cba6674ce..9a366fd6aed 100644 --- a/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Multiple Body Parameters In The Same Operation", "severity": "INFO", "line": 10, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "Operation's parameters should have just one body type parameter", + "actualValue": "Operation's parameters has more than one body type parameter", + "issueType": "IncorrectValue" }, { "queryName": "Multiple Body Parameters In The Same Operation", "severity": "INFO", "line": 8, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "Operation's parameters should have just one body type parameter", + "actualValue": "Operation's parameters has more than one body type parameter", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/test/positive_expected_result.json b/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/test/positive_expected_result.json index 12cb526c305..64d23cc6c72 100644 --- a/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Multi 'collectionformat' Not Valid For 'in' Parameter", "severity": "INFO", "line": 13, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2.in", + "searchValue": "", + "expectedValue": "'in' field should be 'query' or 'formData'", + "actualValue": "'in' field is path", + "issueType": "IncorrectValue" }, { "queryName": "Multi 'collectionformat' Not Valid For 'in' Parameter", "severity": "INFO", - "line": 10, - "filename": "positive2.yaml" + "line": 37, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit.in", + "searchValue": "", + "expectedValue": "'in' field should be 'query' or 'formData'", + "actualValue": "'in' field is path", + "issueType": "IncorrectValue" }, { "queryName": "Multi 'collectionformat' Not Valid For 'in' Parameter", "severity": "INFO", - "line": 37, - "filename": "positive1.json" + "line": 10, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2.in", + "searchValue": "", + "expectedValue": "'in' field should be 'query' or 'formData'", + "actualValue": "'in' field is path", + "issueType": "IncorrectValue" }, { "queryName": "Multi 'collectionformat' Not Valid For 'in' Parameter", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit.in", + "searchValue": "", + "expectedValue": "'in' field should be 'query' or 'formData'", + "actualValue": "'in' field is path", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/non_body_parameter_with_schema/test/positive_expected_result.json b/assets/queries/openAPI/2.0/non_body_parameter_with_schema/test/positive_expected_result.json index a49d349e700..af085dfff51 100644 --- a/assets/queries/openAPI/2.0/non_body_parameter_with_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/non_body_parameter_with_schema/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Non Body Parameter Without Schema", "severity": "INFO", "line": 16, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2.schema", + "searchValue": "", + "expectedValue": "'schema' should not be set", + "actualValue": "'schema' is set", + "issueType": "IncorrectValue" }, { "queryName": "Non Body Parameter Without Schema", "severity": "INFO", - "line": 13, - "filename": "positive2.yaml" + "line": 37, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit.schema", + "searchValue": "", + "expectedValue": "'schema' should not be set", + "actualValue": "'schema' is set", + "issueType": "IncorrectValue" }, { "queryName": "Non Body Parameter Without Schema", "severity": "INFO", - "line": 37, - "filename": "positive1.json" + "line": 13, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2.schema", + "searchValue": "", + "expectedValue": "'schema' should not be set", + "actualValue": "'schema' is set", + "issueType": "IncorrectValue" }, { "queryName": "Non Body Parameter Without Schema", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit.schema", + "searchValue": "", + "expectedValue": "'schema' should not be set", + "actualValue": "'schema' is set", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/test/positive_expected_result.json b/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/test/positive_expected_result.json index ead08115961..f8f6533f1ea 100644 --- a/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Non OAuth2 Security Requirement Defining OAuth2 Scopes", "severity": "MEDIUM", "line": 33, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "security scheme petstore_auth should specify scopes for type 'basic'", + "actualValue": "security scheme petstore_auth doesn't specify scopes for type 'basic'", + "issueType": "IncorrectValue" }, { "queryName": "Non OAuth2 Security Requirement Defining OAuth2 Scopes", "severity": "MEDIUM", "line": 21, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "security scheme petstore_auth should specify scopes for type 'basic'", + "actualValue": "security scheme petstore_auth doesn't specify scopes for type 'basic'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/object_without_required_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/object_without_required_property/test/positive_expected_result.json index 8be9ac9534d..42d06a05fbc 100644 --- a/assets/queries/openAPI/2.0/object_without_required_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/object_without_required_property/test/positive_expected_result.json @@ -2,25 +2,53 @@ { "queryName": "Object Without Required Property (v2)", "severity": "INFO", - "line": 20, - "filename": "positive1.json" + "line": 3, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.", + "searchValue": "", + "expectedValue": "info has all required fields", + "actualValue": "info is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v2)", "severity": "INFO", - "line": 3, - "filename": "positive1.json" + "line": 20, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.{{limitParam}}", + "searchValue": "", + "expectedValue": "Parameter object has 'type' defined", + "actualValue": "Parameter object does not have 'type' defined", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v2)", "severity": "INFO", "line": 2, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.", + "searchValue": "", + "expectedValue": "info has all required fields", + "actualValue": "info is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v2)", "severity": "INFO", "line": 13, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.{{limitParam}}", + "searchValue": "", + "expectedValue": "Parameter object has 'type' defined", + "actualValue": "Parameter object does not have 'type' defined", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/test/positive_expected_result.json index 9acfc9fea22..6d0eda861cb 100644 --- a/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Operation Example Mismatch Produces MimeType", "severity": "INFO", "line": 34, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.{{200}}.examples.{{text/csv}}", + "searchValue": "", + "expectedValue": "Example MimeType should be listed on produces", + "actualValue": "Example MimeType is not listed on produces", + "issueType": "MissingAttribute" }, { "queryName": "Operation Example Mismatch Produces MimeType", "severity": "INFO", "line": 27, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.{{200}}.examples.{{text/csv}}", + "searchValue": "", + "expectedValue": "Example MimeType should be listed on produces", + "actualValue": "Example MimeType is not listed on produces", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/test/positive_expected_result.json index 9273c0f82cd..5b9b26fa967 100644 --- a/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Operation Object Parameters With 'body' And 'formatData' locations", "severity": "INFO", "line": 17, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "operation object parameters only use one of 'body' or 'formatData' locations", + "actualValue": "operation object parameters use both 'body' and 'formatData' locations", + "issueType": "IncorrectValue" }, { "queryName": "Operation Object Parameters With 'body' And 'formatData' locations", "severity": "INFO", "line": 13, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "operation object parameters only use one of 'body' or 'formatData' locations", + "actualValue": "operation object parameters use both 'body' and 'formatData' locations", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/operation_object_without_consumes/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_object_without_consumes/test/positive_expected_result.json index 8fad06ba31e..5ecdd0af134 100644 --- a/assets/queries/openAPI/2.0/operation_object_without_consumes/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_object_without_consumes/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Operation Object Without 'consumes'", "severity": "MEDIUM", "line": 9, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.put", + "searchValue": "", + "expectedValue": "paths.{{/}}.put 'consumes' should be defined", + "actualValue": "paths.{{/}}.put 'consumes' is missing", + "issueType": "MissingAttribute" }, { "queryName": "Operation Object Without 'consumes'", "severity": "MEDIUM", "line": 7, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.put", + "searchValue": "", + "expectedValue": "paths.{{/}}.put 'consumes' should be defined", + "actualValue": "paths.{{/}}.put 'consumes' is missing", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/2.0/operation_object_without_produces/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_object_without_produces/test/positive_expected_result.json index 8ba5c879c13..b8fe5f39c8a 100644 --- a/assets/queries/openAPI/2.0/operation_object_without_produces/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_object_without_produces/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Operation Object Without 'produces'", "severity": "MEDIUM", "line": 9, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get", + "searchValue": "", + "expectedValue": "paths.{{/}}.get 'produces' should be defined", + "actualValue": "paths.{{/}}.get 'produces' is missing", + "issueType": "MissingAttribute" }, { "queryName": "Operation Object Without 'produces'", "severity": "MEDIUM", "line": 7, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get", + "searchValue": "", + "expectedValue": "paths.{{/}}.get 'produces' should be defined", + "actualValue": "paths.{{/}}.get 'produces' is missing", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/2.0/operation_summary_too_long/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_summary_too_long/test/positive_expected_result.json index 75ea2ac2f3d..14bf2d167ba 100644 --- a/assets/queries/openAPI/2.0/operation_summary_too_long/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_summary_too_long/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Operation Summary Too Long", "severity": "INFO", "line": 11, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.summary", + "searchValue": "", + "expectedValue": "Operation summary should not be less than 120 characters", + "actualValue": "Operation summary is less than 120 characters", + "issueType": "IncorrectValue" }, { "queryName": "Operation Summary Too Long", "severity": "INFO", "line": 9, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.summary", + "searchValue": "", + "expectedValue": "Operation summary should not be less than 120 characters", + "actualValue": "Operation summary is less than 120 characters", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/operation_using_basic_auth/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_using_basic_auth/test/positive_expected_result.json index ed4f148d15e..445a40bcf04 100644 --- a/assets/queries/openAPI/2.0/operation_using_basic_auth/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_using_basic_auth/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Operation Using Basic Auth", "severity": "MEDIUM", "line": 22, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "Operation Object should not be using basic authentication", + "actualValue": "Operation Object is using basic authentication", + "issueType": "IncorrectValue" }, { "queryName": "Operation Using Basic Auth", "severity": "MEDIUM", "line": 16, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "Operation Object should not be using basic authentication", + "actualValue": "Operation Object is using basic authentication", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/operation_using_implicit_flow/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_using_implicit_flow/test/positive_expected_result.json index ac32c231303..482c89314b7 100644 --- a/assets/queries/openAPI/2.0/operation_using_implicit_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_using_implicit_flow/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Operation Using Implicit Flow", "severity": "MEDIUM", "line": 22, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "Operation Object should not be using implicit flow", + "actualValue": "Operation Object is using implicit flow", + "issueType": "IncorrectValue" }, { "queryName": "Operation Using Implicit Flow", "severity": "MEDIUM", "line": 16, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "Operation Object should not be using implicit flow", + "actualValue": "Operation Object is using implicit flow", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/operation_using_password_flow/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_using_password_flow/test/positive_expected_result.json index e2eda6d01d7..ec0926ca890 100644 --- a/assets/queries/openAPI/2.0/operation_using_password_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_using_password_flow/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Operation Using Password Flow", "severity": "MEDIUM", "line": 22, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "Operation Object should not be using 'password' flow in OAuth2 authentication", + "actualValue": "Operation Object is using 'password' flow in OAuth2 authentication", + "issueType": "IncorrectValue" }, { "queryName": "Operation Using Password Flow", "severity": "MEDIUM", "line": 16, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "Operation Object should not be using 'password' flow in OAuth2 authentication", + "actualValue": "Operation Object is using 'password' flow in OAuth2 authentication", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/test/positive_expected_result.json b/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/test/positive_expected_result.json index 28de0b8b081..5e7a8605b94 100644 --- a/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Parameter File Type Not In 'formData'", "severity": "INFO", "line": 12, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Parameter File Type Not In 'formData'", "severity": "INFO", - "line": 10, - "filename": "positive2.yaml" + "line": 31, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Parameter File Type Not In 'formData'", "severity": "INFO", - "line": 31, - "filename": "positive1.json" + "line": 10, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Parameter File Type Not In 'formData'", "severity": "INFO", "line": 22, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/test/positive_expected_result.json index 261dbfde738..79db3c98be1 100644 --- a/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Parameter Object With Incorrect Ref (v2)", "severity": "INFO", "line": 22, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "Parameters ref points to '#/parameters'", + "actualValue": "Parameters ref doesn't point to '#/parameters'", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object With Incorrect Ref (v2)", "severity": "INFO", "line": 16, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "Parameters ref points to '#/parameters'", + "actualValue": "Parameters ref doesn't point to '#/parameters'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/path_scheme_accepts_http/test/positive_expected_result.json b/assets/queries/openAPI/2.0/path_scheme_accepts_http/test/positive_expected_result.json index 63170f665d1..d57a530626d 100644 --- a/assets/queries/openAPI/2.0/path_scheme_accepts_http/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/path_scheme_accepts_http/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Path Scheme Accepts HTTP (v2)", "severity": "MEDIUM", "line": 13, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.schemes.http", + "searchValue": "", + "expectedValue": "The Scheme list uses only 'HTTPS' protocol", + "actualValue": "The Scheme list uses 'HTTP' protocol", + "issueType": "IncorrectValue" }, { "queryName": "Path Scheme Accepts HTTP (v2)", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.schemes.http", + "searchValue": "", + "expectedValue": "The Scheme list uses only 'HTTPS' protocol", + "actualValue": "The Scheme list uses 'HTTP' protocol", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/property_not_unique/test/positive_expected_result.json b/assets/queries/openAPI/2.0/property_not_unique/test/positive_expected_result.json index 4adbe93ae00..24d0a403610 100644 --- a/assets/queries/openAPI/2.0/property_not_unique/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/property_not_unique/test/positive_expected_result.json @@ -2,73 +2,157 @@ { "queryName": "Property Not Unique", "severity": "INFO", - "line": 54, - "filename": "positive1.json" + "line": 27, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.properties.name", + "searchValue": "", + "expectedValue": "'name' property is unique throughout the whole API", + "actualValue": "'name' property is not unique throughout the whole API", + "issueType": "IncorrectValue" }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 57, - "filename": "positive1.json" + "line": 30, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.properties.address", + "searchValue": "", + "expectedValue": "'address' property is unique throughout the whole API", + "actualValue": "'address' property is not unique throughout the whole API", + "issueType": "IncorrectValue" }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 60, - "filename": "positive1.json" + "line": 33, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.properties.age", + "searchValue": "", + "expectedValue": "'age' property is unique throughout the whole API", + "actualValue": "'age' property is not unique throughout the whole API", + "issueType": "IncorrectValue" }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 38, - "filename": "positive2.yaml" + "line": 54, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.properties.name", + "searchValue": "", + "expectedValue": "'name' property is unique throughout the whole API", + "actualValue": "'name' property is not unique throughout the whole API", + "issueType": "IncorrectValue" }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 40, - "filename": "positive2.yaml" + "line": 57, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.properties.address", + "searchValue": "", + "expectedValue": "'address' property is unique throughout the whole API", + "actualValue": "'address' property is not unique throughout the whole API", + "issueType": "IncorrectValue" }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 42, - "filename": "positive2.yaml" + "line": 60, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.properties.age", + "searchValue": "", + "expectedValue": "'age' property is unique throughout the whole API", + "actualValue": "'age' property is not unique throughout the whole API", + "issueType": "IncorrectValue" }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 27, - "filename": "positive1.json" + "line": 22, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.properties.name", + "searchValue": "", + "expectedValue": "'name' property is unique throughout the whole API", + "actualValue": "'name' property is not unique throughout the whole API", + "issueType": "IncorrectValue" }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 30, - "filename": "positive1.json" + "line": 24, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.properties.address", + "searchValue": "", + "expectedValue": "'address' property is unique throughout the whole API", + "actualValue": "'address' property is not unique throughout the whole API", + "issueType": "IncorrectValue" }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 33, - "filename": "positive1.json" + "line": 26, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.properties.age", + "searchValue": "", + "expectedValue": "'age' property is unique throughout the whole API", + "actualValue": "'age' property is not unique throughout the whole API", + "issueType": "IncorrectValue" }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 22, - "filename": "positive2.yaml" + "line": 38, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.properties.name", + "searchValue": "", + "expectedValue": "'name' property is unique throughout the whole API", + "actualValue": "'name' property is not unique throughout the whole API", + "issueType": "IncorrectValue" }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 24, - "filename": "positive2.yaml" + "line": 40, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.properties.address", + "searchValue": "", + "expectedValue": "'address' property is unique throughout the whole API", + "actualValue": "'address' property is not unique throughout the whole API", + "issueType": "IncorrectValue" }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 26, - "filename": "positive2.yaml" + "line": 42, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.properties.age", + "searchValue": "", + "expectedValue": "'age' property is unique throughout the whole API", + "actualValue": "'age' property is not unique throughout the whole API", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/response_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/2.0/response_object_incorrect_ref/test/positive_expected_result.json index b14643b039a..f935f08d2ae 100644 --- a/assets/queries/openAPI/2.0/response_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/response_object_incorrect_ref/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Response Object With Incorrect Ref (v2)", "severity": "INFO", "line": 14, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.{{200}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/responses'", + "actualValue": "Response ref doesn't point to '#/responses'", + "issueType": "IncorrectValue" }, { "queryName": "Response Object With Incorrect Ref (v2)", "severity": "INFO", "line": 12, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.{{200}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/responses'", + "actualValue": "Response ref doesn't point to '#/responses'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/schema_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/2.0/schema_object_incorrect_ref/test/positive_expected_result.json index 92c755b5e26..024dc5760ad 100644 --- a/assets/queries/openAPI/2.0/schema_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/schema_object_incorrect_ref/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Schema Object Incorrect Ref (v2)", "severity": "INFO", "line": 29, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.Success.schema.$ref", + "searchValue": "", + "expectedValue": "Schema ref points to '#/definitions'", + "actualValue": "Schema ref doesn't point to '#/definitions'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Incorrect Ref (v2)", "severity": "INFO", "line": 19, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.Success.schema.$ref", + "searchValue": "", + "expectedValue": "Schema ref points to '#/definitions'", + "actualValue": "Schema ref doesn't point to '#/definitions'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json b/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json index 906693d3928..187792791b9 100644 --- a/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Schema with 'additionalProperties' set as Boolean", "severity": "INFO", "line": 28, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set as an object value", + "actualValue": "'additionalProperties' is set as a boolean value", + "issueType": "IncorrectValue" }, { "queryName": "Schema with 'additionalProperties' set as Boolean", "severity": "INFO", "line": 22, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set as an object value", + "actualValue": "'additionalProperties' is set as a boolean value", + "issueType": "IncorrectValue" }, { "queryName": "Schema with 'additionalProperties' set as Boolean", "severity": "INFO", "line": 29, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set as an object value", + "actualValue": "'additionalProperties' is set as a boolean value", + "issueType": "IncorrectValue" }, { "queryName": "Schema with 'additionalProperties' set as Boolean", "severity": "INFO", "line": 51, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.User.additionalProperties", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set as an object value", + "actualValue": "'additionalProperties' is set as a boolean value", + "issueType": "IncorrectValue" }, { "queryName": "Schema with 'additionalProperties' set as Boolean", "severity": "INFO", "line": 23, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set as an object value", + "actualValue": "'additionalProperties' is set as a boolean value", + "issueType": "IncorrectValue" }, { "queryName": "Schema with 'additionalProperties' set as Boolean", "severity": "INFO", "line": 34, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.User.additionalProperties", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set as an object value", + "actualValue": "'additionalProperties' is set as a boolean value", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/schemes_uses_http copy/test/positive_expected_result.json b/assets/queries/openAPI/2.0/schemes_uses_http copy/test/positive_expected_result.json index 6a968ab699b..760520014d2 100644 --- a/assets/queries/openAPI/2.0/schemes_uses_http copy/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/schemes_uses_http copy/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Schemes Uses HTTP", "severity": "MEDIUM", "line": 13, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.schemes.http", + "searchValue": "", + "expectedValue": "The Scheme list uses only 'HTTPS' protocol", + "actualValue": "The Scheme list uses 'HTTP' protocol", + "issueType": "IncorrectValue" }, { "queryName": "Schemes Uses HTTP", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.schemes.http", + "searchValue": "", + "expectedValue": "The Scheme list uses only 'HTTPS' protocol", + "actualValue": "The Scheme list uses 'HTTP' protocol", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/test/positive_expected_result.json b/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/test/positive_expected_result.json index 20b6c9b5305..dac7bb86cb0 100644 --- a/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Security Definitions Allows Password Flow", "severity": "MEDIUM", "line": 27, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.{{oAuth2AuthCodeNeg2}}.flow", + "searchValue": "", + "expectedValue": "security definition should not allow 'password' flow in OAuth2 authentication", + "actualValue": "security definition allows 'password' flow in OAuth2 authentication", + "issueType": "IncorrectValue" }, { "queryName": "Security Definitions Allows Password Flow", "severity": "MEDIUM", "line": 19, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.{{oAuth2AuthCodeNeg2}}.flow", + "searchValue": "", + "expectedValue": "security definition should not allow 'password' flow in OAuth2 authentication", + "actualValue": "security definition allows 'password' flow in OAuth2 authentication", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json b/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json index d995a2572d8..99d741c0033 100644 --- a/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Security Definitions Undefined or Empty", "severity": "HIGH", "line": 2, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "swagger", + "searchValue": "", + "expectedValue": "'securityDefinitions' should be set and not empty", + "actualValue": "'securityDefinitions' is undefined or empty", + "issueType": "IncorrectValue" }, { "queryName": "Security Definitions Undefined or Empty", "severity": "HIGH", "line": 1, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "swagger", + "searchValue": "", + "expectedValue": "'securityDefinitions' should be set and not empty", + "actualValue": "'securityDefinitions' is undefined or empty", + "issueType": "IncorrectValue" }, { "queryName": "Security Definitions Undefined or Empty", "severity": "HIGH", "line": 2, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "swagger", + "searchValue": "", + "expectedValue": "'securityDefinitions' should be set and not empty", + "actualValue": "'securityDefinitions' is undefined or empty", + "issueType": "MissingAttribute" }, { "queryName": "Security Definitions Undefined or Empty", "severity": "HIGH", "line": 1, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "swagger", + "searchValue": "", + "expectedValue": "'securityDefinitions' should be set and not empty", + "actualValue": "'securityDefinitions' is undefined or empty", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/test/positive_expected_result.json b/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/test/positive_expected_result.json index ec44a6d6bd7..78ba1679e70 100644 --- a/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Security Definitions Using Basic Auth", "severity": "MEDIUM", "line": 25, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.{{oAuth2AuthCodeNeg2}}.type", + "searchValue": "", + "expectedValue": "security definition should not be using basic authentication", + "actualValue": "security definition is using basic authentication", + "issueType": "IncorrectValue" }, { "queryName": "Security Definitions Using Basic Auth", "severity": "MEDIUM", "line": 17, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.{{oAuth2AuthCodeNeg2}}.type", + "searchValue": "", + "expectedValue": "security definition should not be using basic authentication", + "actualValue": "security definition is using basic authentication", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/test/positive_expected_result.json b/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/test/positive_expected_result.json index f25b64d1c59..041754a86c0 100644 --- a/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Security Requirement Not Defined In Security Definition", "severity": "HIGH", "line": 33, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "petstore_auth should be defined in 'securityDefinitions'", + "actualValue": "petstore_auth is not defined in 'securityDefinitions'", + "issueType": "IncorrectValue" }, { "queryName": "Security Requirement Not Defined In Security Definition", "severity": "HIGH", "line": 21, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "petstore_auth should be defined in 'securityDefinitions'", + "actualValue": "petstore_auth is not defined in 'securityDefinitions'", + "issueType": "IncorrectValue" }, { "queryName": "Security Requirement Not Defined In Security Definition", "severity": "HIGH", "line": 30, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.security.petstore_auth", + "searchValue": "", + "expectedValue": "petstore_auth should be defined in 'securityDefinitions'", + "actualValue": "petstore_auth is not defined in 'securityDefinitions'", + "issueType": "IncorrectValue" }, { "queryName": "Security Requirement Not Defined In Security Definition", "severity": "HIGH", "line": 21, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.security.petstore_auth", + "searchValue": "", + "expectedValue": "petstore_auth should be defined in 'securityDefinitions'", + "actualValue": "petstore_auth is not defined in 'securityDefinitions'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/undefined_security_scope_global_security/test/positive_expected_result.json b/assets/queries/openAPI/2.0/undefined_security_scope_global_security/test/positive_expected_result.json index 0ebffca7687..4677f970704 100644 --- a/assets/queries/openAPI/2.0/undefined_security_scope_global_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/undefined_security_scope_global_security/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Undefined Scope 'securityDefinition' On Global 'security' Field", "severity": "LOW", "line": 23, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityDefinitions'", + "actualValue": "scope error:api is not defined on 'securityDefinitions'", + "issueType": "IncorrectValue" }, { "queryName": "Undefined Scope 'securityDefinition' On Global 'security' Field", "severity": "LOW", "line": 33, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityDefinitions'", + "actualValue": "scope error:api is not defined on 'securityDefinitions'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json b/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json index ab06287ffd1..cd57a0d9b20 100644 --- a/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Undefined Scope 'securityDefinition' On 'security' Field On Operations", "severity": "LOW", "line": 13, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityDefinitions'", + "actualValue": "scope error:api is not defined on 'securityDefinitions'", + "issueType": "IncorrectValue" }, { "queryName": "Undefined Scope 'securityDefinition' On 'security' Field On Operations", "severity": "LOW", "line": 16, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityDefinitions'", + "actualValue": "scope error:api is not defined on 'securityDefinitions'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/unknown_prefix/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unknown_prefix/test/positive_expected_result.json index f84782e1bdb..50119d0e530 100644 --- a/assets/queries/openAPI/2.0/unknown_prefix/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unknown_prefix/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Unknown Prefix (v2)", "severity": "INFO", "line": 12, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.produces", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.produces has only known prefixes", + "actualValue": "aplication/json on 'paths.{{/}}.get.produces' is an unknown prefix", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Prefix (v2)", "severity": "INFO", "line": 38, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "produces", + "searchValue": "", + "expectedValue": "produces has only known prefixes", + "actualValue": "aplication/json on 'produces' is an unknown prefix", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Prefix (v2)", "severity": "INFO", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.produces", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.produces has only known prefixes", + "actualValue": "aplication/json on 'paths.{{/}}.get.produces' is an unknown prefix", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Prefix (v2)", "severity": "INFO", "line": 24, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "produces", + "searchValue": "", + "expectedValue": "produces has only known prefixes", + "actualValue": "aplication/json on 'produces' is an unknown prefix", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/unknown_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unknown_property/test/positive_expected_result.json index 81b318304d5..458e32c0304 100644 --- a/assets/queries/openAPI/2.0/unknown_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unknown_property/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Unknown Property (v2)", "severity": "INFO", "line": 20, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.descripption", + "searchValue": "", + "expectedValue": "The field 'descripption' is known in the parameters object", + "actualValue": "The field 'descripption' is unknown in the parameters object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v2)", "severity": "INFO", "line": 40, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.ErrorModel.propppperties", + "searchValue": "", + "expectedValue": "The field 'propppperties' is known in the definitions object", + "actualValue": "The field 'propppperties' is unknown in the definitions object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v2)", "severity": "INFO", "line": 7, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.nameee", + "searchValue": "", + "expectedValue": "The field 'nameee' is known in the contact object", + "actualValue": "The field 'nameee' is unknown in the contact object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v2)", "severity": "INFO", "line": 25, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "taggs", + "searchValue": "", + "expectedValue": "The field 'taggs' is known in the openapi object", + "actualValue": "The field 'taggs' is unknown in the openapi object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v2)", "severity": "INFO", "line": 16, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.descripption", + "searchValue": "", + "expectedValue": "The field 'descripption' is known in the parameters object", + "actualValue": "The field 'descripption' is unknown in the parameters object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v2)", "severity": "INFO", "line": 28, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.ErrorModel.propppperties", + "searchValue": "", + "expectedValue": "The field 'propppperties' is known in the definitions object", + "actualValue": "The field 'propppperties' is unknown in the definitions object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v2)", "severity": "INFO", "line": 6, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.nameee", + "searchValue": "", + "expectedValue": "The field 'nameee' is known in the contact object", + "actualValue": "The field 'nameee' is unknown in the contact object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v2)", "severity": "INFO", "line": 17, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "taggs", + "searchValue": "", + "expectedValue": "The field 'taggs' is known in the openapi object", + "actualValue": "The field 'taggs' is unknown in the openapi object", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/2.0/unused_parameter_definition/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unused_parameter_definition/test/positive_expected_result.json index 3b9b810e5e9..4d0aeb2b1eb 100644 --- a/assets/queries/openAPI/2.0/unused_parameter_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unused_parameter_definition/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Global Parameter Definition Not Being Used", "severity": "INFO", "line": 26, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.{{limitParam}}", + "searchValue": "", + "expectedValue": "parameter definition 'limitParam' is used", + "actualValue": "parameter definition 'limitParam' is not being used", + "issueType": "MissingAttribute" }, { "queryName": "Global Parameter Definition Not Being Used", "severity": "INFO", "line": 16, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.{{limitParam}}", + "searchValue": "", + "expectedValue": "parameter definition 'limitParam' is used", + "actualValue": "parameter definition 'limitParam' is not being used", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/2.0/unused_response_definition/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unused_response_definition/test/positive_expected_result.json index 3c30d6ec861..1a448cebbc3 100644 --- a/assets/queries/openAPI/2.0/unused_response_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unused_response_definition/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Global Responses Definition Not Being Used", "severity": "INFO", "line": 38, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.{{IllegalInput}}", + "searchValue": "", + "expectedValue": "responses definition 'IllegalInput' is used", + "actualValue": "responses definition 'IllegalInput' is not being used", + "issueType": "MissingAttribute" }, { "queryName": "Global Responses Definition Not Being Used", "severity": "INFO", - "line": 25, - "filename": "positive2.yaml" + "line": 41, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.{{GeneralError}}", + "searchValue": "", + "expectedValue": "responses definition 'GeneralError' is used", + "actualValue": "responses definition 'GeneralError' is not being used", + "issueType": "MissingAttribute" }, { "queryName": "Global Responses Definition Not Being Used", "severity": "INFO", - "line": 41, - "filename": "positive1.json" + "line": 25, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.{{IllegalInput}}", + "searchValue": "", + "expectedValue": "responses definition 'IllegalInput' is used", + "actualValue": "responses definition 'IllegalInput' is not being used", + "issueType": "MissingAttribute" }, { "queryName": "Global Responses Definition Not Being Used", "severity": "INFO", "line": 27, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.{{GeneralError}}", + "searchValue": "", + "expectedValue": "responses definition 'GeneralError' is used", + "actualValue": "responses definition 'GeneralError' is not being used", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/2.0/unused_schema_definition/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unused_schema_definition/test/positive_expected_result.json index 366d81a471f..f51befe8909 100644 --- a/assets/queries/openAPI/2.0/unused_schema_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unused_schema_definition/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Global Schema Definition Not Being Used", "severity": "INFO", "line": 44, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{Tag}}", + "searchValue": "", + "expectedValue": "responses definition 'Tag' is used", + "actualValue": "responses definition 'Tag' is not being used", + "issueType": "MissingAttribute" }, { "queryName": "Global Schema Definition Not Being Used", "severity": "INFO", "line": 29, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{Tag}}", + "searchValue": "", + "expectedValue": "responses definition 'Tag' is used", + "actualValue": "responses definition 'Tag' is not being used", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/3.0/additional_properties_too_permissive/test/positive_expected_result.json b/assets/queries/openAPI/3.0/additional_properties_too_permissive/test/positive_expected_result.json index 663fbbc97d9..22a9616ec74 100644 --- a/assets/queries/openAPI/3.0/additional_properties_too_permissive/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/additional_properties_too_permissive/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Additional Properties Too Permissive", "severity": "LOW", "line": 24, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set to false", + "actualValue": "'additionalProperties' is set true", + "issueType": "IncorrectValue" }, { "queryName": "Additional Properties Too Permissive", "severity": "LOW", - "line": 34, - "filename": "positive3.json" + "line": 19, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set to false", + "actualValue": "'additionalProperties' is set true", + "issueType": "IncorrectValue" }, { "queryName": "Additional Properties Too Permissive", "severity": "LOW", - "line": 14, - "filename": "positive5.json" + "line": 34, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.oneOf", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set to false", + "actualValue": "'additionalProperties' is set true", + "issueType": "IncorrectValue" }, { "queryName": "Additional Properties Too Permissive", "severity": "LOW", - "line": 19, - "filename": "positive2.yaml" + "line": 23, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.oneOf", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set to false", + "actualValue": "'additionalProperties' is set true", + "issueType": "IncorrectValue" }, { "queryName": "Additional Properties Too Permissive", "severity": "LOW", - "line": 23, - "filename": "positive4.yaml" + "line": 14, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "'additionalProperties' needs to be set and to false", + "actualValue": "'additionalProperties' is not set", + "issueType": "MissingAttribute" }, { "queryName": "Additional Properties Too Permissive", "severity": "LOW", "line": 12, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "'additionalProperties' needs to be set and to false", + "actualValue": "'additionalProperties' is not set", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/additional_properties_too_restrective/test/positive_expected_result.json b/assets/queries/openAPI/3.0/additional_properties_too_restrective/test/positive_expected_result.json index 9abd489058a..14a709c079b 100644 --- a/assets/queries/openAPI/3.0/additional_properties_too_restrective/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/additional_properties_too_restrective/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Additional Properties Too Restrictive", "severity": "LOW", "line": 41, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.oneOf", + "searchValue": "", + "expectedValue": "'additionalProperties' should not be false", + "actualValue": "'additionalProperties' is false", + "issueType": "IncorrectValue" }, { "queryName": "Additional Properties Too Restrictive", "severity": "LOW", - "line": 15, - "filename": "positive3.json" + "line": 25, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.oneOf", + "searchValue": "", + "expectedValue": "'additionalProperties' should not be false", + "actualValue": "'additionalProperties' is false", + "issueType": "IncorrectValue" }, { "queryName": "Additional Properties Too Restrictive", "severity": "LOW", - "line": 25, - "filename": "positive2.yaml" + "line": 15, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.allOf", + "searchValue": "", + "expectedValue": "'additionalProperties' should not be false", + "actualValue": "'additionalProperties' is false", + "issueType": "IncorrectValue" }, { "queryName": "Additional Properties Too Restrictive", "severity": "LOW", "line": 13, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.allOf", + "searchValue": "", + "expectedValue": "'additionalProperties' should not be false", + "actualValue": "'additionalProperties' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json b/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json index 0ae9ec9454f..404aa269d11 100644 --- a/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", "line": 52, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", "line": 57, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.apiKey2", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", "line": 62, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", "line": 31, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", "line": 35, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.apiKey2", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", "line": 39, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/callback_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/callback_object_incorrect_ref/test/positive_expected_result.json index 27b03bfbc60..89370773f01 100644 --- a/assets/queries/openAPI/3.0/callback_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/callback_object_incorrect_ref/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Callback Object With Incorrect Ref", "severity": "INFO", "line": 19, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.callbacks.{{myEvent}}.$ref", + "searchValue": "", + "expectedValue": "Callback ref points to '#/components/callbacks'", + "actualValue": "Callback ref does not point to '#/components/callbacks'", + "issueType": "IncorrectValue" }, { "queryName": "Callback Object With Incorrect Ref", "severity": "INFO", "line": 15, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.callbacks.{{myEvent}}.$ref", + "searchValue": "", + "expectedValue": "Callback ref points to '#/components/callbacks'", + "actualValue": "Callback ref does not point to '#/components/callbacks'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/test/positive_expected_result.json b/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/test/positive_expected_result.json index 684dadd9441..ec02d186ffb 100644 --- a/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Cleartext Credentials With Basic Authentication For Operation", "severity": "MEDIUM", "line": 28, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{regularSecurity}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}} operation should not allow cleartext credentials over unencrypted channel", + "actualValue": "paths.{{/}}.{{get}} operation allows cleartext credentials over unencrypted channel", + "issueType": "IncorrectValue" }, { "queryName": "Cleartext Credentials With Basic Authentication For Operation", "severity": "MEDIUM", "line": 19, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{regularSecurity}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}} operation should not allow cleartext credentials over unencrypted channel", + "actualValue": "paths.{{/}}.{{get}} operation allows cleartext credentials over unencrypted channel", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/components_callback_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_callback_definition_unused/test/positive_expected_result.json index 2a8e672168c..c4aad0f3286 100644 --- a/assets/queries/openAPI/3.0/components_callback_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_callback_definition_unused/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Components Callback Definition Is Unused", "severity": "INFO", "line": 22, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.callbacks.{{inProgress}}", + "searchValue": "", + "expectedValue": "Callback should be used as reference somewhere", + "actualValue": "Callback is not used as reference", + "issueType": "IncorrectValue" }, { "queryName": "Components Callback Definition Is Unused", "severity": "INFO", "line": 15, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.callbacks.{{inProgress}}", + "searchValue": "", + "expectedValue": "Callback should be used as reference somewhere", + "actualValue": "Callback is not used as reference", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/components_example_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_example_definition_unused/test/positive_expected_result.json index b56fe3c1bfc..b4658d17078 100644 --- a/assets/queries/openAPI/3.0/components_example_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_example_definition_unused/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Components Example Definition Is Unused", "severity": "INFO", "line": 42, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.examples.{{objectExample}}", + "searchValue": "", + "expectedValue": "Example should be used as reference somewhere", + "actualValue": "Example is not used as reference", + "issueType": "IncorrectValue" }, { "queryName": "Components Example Definition Is Unused", "severity": "INFO", "line": 27, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.examples.{{objectExample}}", + "searchValue": "", + "expectedValue": "Example should be used as reference somewhere", + "actualValue": "Example is not used as reference", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/components_header_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_header_definition_unused/test/positive_expected_result.json index 00fd9f860f8..62486ef99c6 100644 --- a/assets/queries/openAPI/3.0/components_header_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_header_definition_unused/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Components Header Definition Is Unused", "severity": "INFO", "line": 45, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.headers.{{xPages}}", + "searchValue": "", + "expectedValue": "Header should be used as reference somewhere", + "actualValue": "Header is not used as reference", + "issueType": "IncorrectValue" }, { "queryName": "Components Header Definition Is Unused", "severity": "INFO", "line": 29, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.headers.{{xPages}}", + "searchValue": "", + "expectedValue": "Header should be used as reference somewhere", + "actualValue": "Header is not used as reference", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/components_link_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_link_definition_unused/test/positive_expected_result.json index cf760d785ed..10f72c402c3 100644 --- a/assets/queries/openAPI/3.0/components_link_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_link_definition_unused/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Components Link Definition Is Unused", "severity": "INFO", "line": 45, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.links.{{APIRepository}}", + "searchValue": "", + "expectedValue": "Link should be used as reference somewhere", + "actualValue": "Link is not used as reference", + "issueType": "IncorrectValue" }, { "queryName": "Components Link Definition Is Unused", "severity": "INFO", "line": 29, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.links.{{APIRepository}}", + "searchValue": "", + "expectedValue": "Link should be used as reference somewhere", + "actualValue": "Link is not used as reference", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/test/positive_expected_result.json index f770b39933b..7b2a620c615 100644 --- a/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Components Object Fixed Field Key Improperly Named", "severity": "INFO", "line": 45, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.{{schemas}}.{{General Error}}", + "searchValue": "", + "expectedValue": "components.{{schemas}}.{{General Error}} is properly named", + "actualValue": "components.{{schemas}}.{{General Error}}is improperly named", + "issueType": "IncorrectValue" }, { "queryName": "Components Object Fixed Field Key Improperly Named", "severity": "INFO", "line": 27, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.{{schemas}}.{{General Error}}", + "searchValue": "", + "expectedValue": "components.{{schemas}}.{{General Error}} is properly named", + "actualValue": "components.{{schemas}}.{{General Error}}is improperly named", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/components_parameter_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_parameter_definition_unused/test/positive_expected_result.json index 6265e35f39b..36b84bf9fab 100644 --- a/assets/queries/openAPI/3.0/components_parameter_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_parameter_definition_unused/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Components Parameter Definition Is Unused", "severity": "INFO", "line": 22, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.{{limitParam}}", + "searchValue": "", + "expectedValue": "Parameter should be used as reference somewhere", + "actualValue": "Parameter is not used as reference", + "issueType": "IncorrectValue" }, { "queryName": "Components Parameter Definition Is Unused", "severity": "INFO", "line": 15, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.{{limitParam}}", + "searchValue": "", + "expectedValue": "Parameter should be used as reference somewhere", + "actualValue": "Parameter is not used as reference", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/components_request_body_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_request_body_definition_unused/test/positive_expected_result.json index 05391f42f5c..b8bafc1f574 100644 --- a/assets/queries/openAPI/3.0/components_request_body_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_request_body_definition_unused/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Components Request Body Definition Is Unused", "severity": "INFO", "line": 35, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{MyObjectBody}}", + "searchValue": "", + "expectedValue": "Request body should be used as reference somewhere", + "actualValue": "Request body is not used as reference", + "issueType": "IncorrectValue" }, { "queryName": "Components Request Body Definition Is Unused", "severity": "INFO", "line": 23, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{MyObjectBody}}", + "searchValue": "", + "expectedValue": "Request body should be used as reference somewhere", + "actualValue": "Request body is not used as reference", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/components_response_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_response_definition_unused/test/positive_expected_result.json index 4216cdede49..4dfd75f8fab 100644 --- a/assets/queries/openAPI/3.0/components_response_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_response_definition_unused/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Components Response Definition Is Unused", "severity": "INFO", "line": 50, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{NotFound}}", + "searchValue": "", + "expectedValue": "Response should be used as reference somewhere", + "actualValue": "Response is not used as reference", + "issueType": "IncorrectValue" }, { "queryName": "Components Response Definition Is Unused", "severity": "INFO", "line": 33, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{NotFound}}", + "searchValue": "", + "expectedValue": "Response should be used as reference somewhere", + "actualValue": "Response is not used as reference", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/components_schema_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_schema_definition_unused/test/positive_expected_result.json index e1644ffcb35..1badaf8d26d 100644 --- a/assets/queries/openAPI/3.0/components_schema_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_schema_definition_unused/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Components Schema Definition Is Unused", "severity": "INFO", "line": 33, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{MyObject2}}", + "searchValue": "", + "expectedValue": "Schema should be used as reference somewhere", + "actualValue": "Schema is not used as reference", + "issueType": "IncorrectValue" }, { "queryName": "Components Schema Definition Is Unused", "severity": "INFO", "line": 22, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{MyObject2}}", + "searchValue": "", + "expectedValue": "Schema should be used as reference somewhere", + "actualValue": "Schema is not used as reference", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/empty_array/test/positive_expected_result.json b/assets/queries/openAPI/3.0/empty_array/test/positive_expected_result.json index d9ab1c4dd10..aa917578531 100644 --- a/assets/queries/openAPI/3.0/empty_array/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/empty_array/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Empty Array", "severity": "INFO", "line": 43, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "The array should not be empty", + "actualValue": "The array is empty", + "issueType": "IncorrectValue" }, { "queryName": "Empty Array", "severity": "INFO", "line": 25, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "The array should not be empty", + "actualValue": "The array is empty", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/test/positive_expected_result.json index 1b3cc6f9b5c..0b9f0805919 100644 --- a/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Encoding Header 'Content-Type' Improperly Defined", "severity": "INFO", "line": 70, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} should not define 'Content-Type' in the 'headers' field", + "actualValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} defines 'Content-Type' in the 'headers' field", + "issueType": "IncorrectValue" }, { "queryName": "Encoding Header 'Content-Type' Improperly Defined", "severity": "INFO", "line": 36, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} should not define 'Content-Type' in the 'headers' field", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} defines 'Content-Type' in the 'headers' field", + "issueType": "IncorrectValue" }, { "queryName": "Encoding Header 'Content-Type' Improperly Defined", "severity": "INFO", "line": 42, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} should not define 'Content-Type' in the 'headers' field", + "actualValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} defines 'Content-Type' in the 'headers' field", + "issueType": "IncorrectValue" }, { "queryName": "Encoding Header 'Content-Type' Improperly Defined", "severity": "INFO", "line": 26, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} should not define 'Content-Type' in the 'headers' field", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} defines 'Content-Type' in the 'headers' field", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/test/positive_expected_result.json b/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/test/positive_expected_result.json index e0b95e7d014..74f04fab96d 100644 --- a/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Encoding Map Key Mismatch Schema Defined Properties", "severity": "INFO", "line": 70, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} should be set in schema defined properties", + "actualValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties", + "issueType": "IncorrectValue" }, { "queryName": "Encoding Map Key Mismatch Schema Defined Properties", "severity": "INFO", "line": 36, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} should be set in schema defined properties", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties", + "issueType": "IncorrectValue" }, { "queryName": "Encoding Map Key Mismatch Schema Defined Properties", "severity": "INFO", "line": 42, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} should be set in schema defined properties", + "actualValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties", + "issueType": "IncorrectValue" }, { "queryName": "Encoding Map Key Mismatch Schema Defined Properties", "severity": "INFO", "line": 26, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} should be set in schema defined properties", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/test/positive_expected_result.json b/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/test/positive_expected_result.json index 570b4c2a338..ca000953d06 100644 --- a/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Example JSON Reference Outside Components Examples", "severity": "INFO", "line": 77, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.post.requestBody.content.{{application/json}}.examples.Address.$ref", + "searchValue": "", + "expectedValue": "#/components/schemas/Address should be declared on components.schemas", + "actualValue": "#/components/schemas/Address is not declared on components.schemas", + "issueType": "MissingAttribute" }, { "queryName": "Example JSON Reference Outside Components Examples", "severity": "INFO", "line": 51, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.post.requestBody.content.{{application/json}}.examples.Address.$ref", + "searchValue": "", + "expectedValue": "#/components/schemas/Address should be declared on components.schemas", + "actualValue": "#/components/schemas/Address is not declared on components.schemas", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/test/positive_expected_result.json b/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/test/positive_expected_result.json index 4d40c6ecaee..4fab04ea7f2 100644 --- a/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Global Security Scheme Using Basic Authentication", "severity": "MEDIUM", "line": 51, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{regularSecurity}}", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{regularSecurity}} global security should not allow basic authentication", + "actualValue": "components.securitySchemes.{{regularSecurity}} global security allows basic authentication", + "issueType": "IncorrectValue" }, { "queryName": "Global Security Scheme Using Basic Authentication", "severity": "MEDIUM", "line": 30, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{regularSecurity}}", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{regularSecurity}} global security should not allow basic authentication", + "actualValue": "components.securitySchemes.{{regularSecurity}} global security allows basic authentication", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/global_server_uses_http/test/positive_expected_result.json b/assets/queries/openAPI/3.0/global_server_uses_http/test/positive_expected_result.json index f828b3df526..3f57cc64607 100644 --- a/assets/queries/openAPI/3.0/global_server_uses_http/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/global_server_uses_http/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Global Server Object Uses HTTP", "severity": "MEDIUM", "line": 13, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "servers.url.http://staging.gigantic-server.com/v1", + "searchValue": "", + "expectedValue": "Global servers' URL should use HTTPS protocol", + "actualValue": "Global servers' URL are not using HTTPS protocol", + "issueType": "IncorrectValue" }, { "queryName": "Global Server Object Uses HTTP", "severity": "MEDIUM", "line": 8, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "servers.url.http://staging.gigantic-server.com/v1", + "searchValue": "", + "expectedValue": "Global servers' URL should use HTTPS protocol", + "actualValue": "Global servers' URL are not using HTTPS protocol", + "issueType": "IncorrectValue" }, { "queryName": "Global Server Object Uses HTTP", "severity": "MEDIUM", "line": 1, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi", + "searchValue": "", + "expectedValue": "Global servers array should be defined", + "actualValue": "Global servers array is not defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/test/positive_expected_result.json index 2c75b617544..7204fd06cb0 100644 --- a/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Header Object With Incorrect Ref", "severity": "INFO", "line": 73, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.headers.{{X-Rate-Limit-Limit}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/components/headers'", + "actualValue": "Response ref does not point to '#/components/headers'", + "issueType": "IncorrectValue" }, { "queryName": "Header Object With Incorrect Ref", "severity": "INFO", "line": 43, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.6xx.headers.{{X-Rate-Limit-Limit}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/components/headers'", + "actualValue": "Response ref does not point to '#/components/headers'", + "issueType": "IncorrectValue" }, { "queryName": "Header Object With Incorrect Ref", "severity": "INFO", "line": 45, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.headers.{{X-Rate-Limit-Limit}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/components/headers'", + "actualValue": "Response ref does not point to '#/components/headers'", + "issueType": "IncorrectValue" }, { "queryName": "Header Object With Incorrect Ref", "severity": "INFO", "line": 29, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.6xx.headers.{{X-Rate-Limit-Limit}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/components/headers'", + "actualValue": "Response ref does not point to '#/components/headers'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/header_object_without_schema/test/positive_expected_result.json b/assets/queries/openAPI/3.0/header_object_without_schema/test/positive_expected_result.json index 7e572881c5b..314401a03e3 100644 --- a/assets/queries/openAPI/3.0/header_object_without_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/header_object_without_schema/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Header Object Without Schema", "severity": "MEDIUM", "line": 72, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}}", + "searchValue": "", + "expectedValue": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}} has schema defined", + "actualValue": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}} does not have schema defined", + "issueType": "MissingAttribute" }, { "queryName": "Header Object Without Schema", "severity": "MEDIUM", "line": 42, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}} has schema defined", + "actualValue": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}} does not have schema defined", + "issueType": "MissingAttribute" }, { "queryName": "Header Object Without Schema", "severity": "MEDIUM", "line": 44, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}}", + "searchValue": "", + "expectedValue": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}} has schema defined", + "actualValue": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}} does not have schema defined", + "issueType": "MissingAttribute" }, { "queryName": "Header Object Without Schema", "severity": "MEDIUM", "line": 28, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}} has schema defined", + "actualValue": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}} does not have schema defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/test/positive_expected_result.json b/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/test/positive_expected_result.json index 207be6864f4..220735b0a2b 100644 --- a/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Invalid Content Type For Multiple Files Upload", "severity": "INFO", "line": 16, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}} should be set to 'multipart/form-data'", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}} is not set to 'multipart/form-data'", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Content Type For Multiple Files Upload", "severity": "INFO", "line": 16, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}} should be set to 'multipart/form-data'", + "actualValue": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}} is not set to 'multipart/form-data'", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Content Type For Multiple Files Upload", "severity": "INFO", "line": 13, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}} should be set to 'multipart/form-data'", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}} is not set to 'multipart/form-data'", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Content Type For Multiple Files Upload", "severity": "INFO", "line": 13, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}} should be set to 'multipart/form-data'", + "actualValue": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}} is not set to 'multipart/form-data'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/invalid_media_type_value/test/positive_expected_result.json b/assets/queries/openAPI/3.0/invalid_media_type_value/test/positive_expected_result.json index 289093176e1..8aaa8ad1cc9 100644 --- a/assets/queries/openAPI/3.0/invalid_media_type_value/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/invalid_media_type_value/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Invalid Media Type Value (v3)", "severity": "INFO", "line": 28, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.content.multipart/form- data", + "searchValue": "", + "expectedValue": "The Media Type should be a valid value", + "actualValue": "The Media Type is an invalid value", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Media Type Value (v3)", "severity": "INFO", "line": 20, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.content.multipart/form- data", + "searchValue": "", + "expectedValue": "The Media Type should be a valid value", + "actualValue": "The Media Type is an invalid value", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/invalid_oauth2_token_url/test/positive_expected_result.json b/assets/queries/openAPI/3.0/invalid_oauth2_token_url/test/positive_expected_result.json index 68cd92641b1..0fcab0b60a4 100644 --- a/assets/queries/openAPI/3.0/invalid_oauth2_token_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/invalid_oauth2_token_url/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", "line": 23, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodePos1.flows.authorizationCode.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", "line": 12, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodePos2.flows.password.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", "line": 22, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodePos3.flows.clientCredentials.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", "line": 31, - "filename": "positive4.json" + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodePos1.flows.authorizationCode.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", "line": 14, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodePos2.flows.password.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", "line": 30, - "filename": "positive6.json" + "filename": "positive6.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodePos3.flows.clientCredentials.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/test/positive_expected_result.json b/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/test/positive_expected_result.json index 88b2c12e4fe..e4cf10b3020 100644 --- a/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Invalid OAuth2 Authorization URL (v3)", "severity": "MEDIUM", "line": 50, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.authorizationCode.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Authorization URL (v3)", "severity": "MEDIUM", "line": 50, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.implicit.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Authorization URL (v3)", "severity": "MEDIUM", "line": 32, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.authorizationCode.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid OAuth2 Authorization URL (v3)", "severity": "MEDIUM", "line": 32, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.implicit.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/test/positive_expected_result.json index 371a7814b73..fe70ed5ea9d 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Callback JSON Reference Does Not Exist", "severity": "INFO", "line": 19, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.callbacks.myEvent.$ref", + "searchValue": "", + "expectedValue": "inProgress from #/components/callbacks/inProgress should be declared on components.callbacks", + "actualValue": "inProgress from #/components/callbacks/inProgress is not declared on components.callbacks", + "issueType": "MissingAttribute" }, { "queryName": "Callback JSON Reference Does Not Exist", "severity": "INFO", "line": 15, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.callbacks.myEvent.$ref", + "searchValue": "", + "expectedValue": "inProgress from #/components/callbacks/inProgress should be declared on components.callbacks", + "actualValue": "inProgress from #/components/callbacks/inProgress is not declared on components.callbacks", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/test/positive_expected_result.json index 5115e74cc5d..be519e4121b 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Example JSON Reference Does Not Exist", "severity": "INFO", "line": 22, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.objectExample.$ref", + "searchValue": "", + "expectedValue": "wrongExample from #/components/examples/wrongExample should be declared on components.examples", + "actualValue": "wrongExample from #/components/examples/wrongExample is not declared on components.examples", + "issueType": "MissingAttribute" }, { "queryName": "Example JSON Reference Does Not Exist", "severity": "INFO", "line": 19, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.objectExample.$ref", + "searchValue": "", + "expectedValue": "wrongExample from #/components/examples/wrongExample should be declared on components.examples", + "actualValue": "wrongExample from #/components/examples/wrongExample is not declared on components.examples", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/test/positive_expected_result.json index 06617655473..d52dc44070e 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Header JSON Reference Does Not Exist", "severity": "INFO", "line": 25, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.headers.X-Pages.$ref", + "searchValue": "", + "expectedValue": "wPages from #/components/headers/wPages should be declared on components.headers", + "actualValue": "wPages from #/components/headers/wPages is not declared on components.headers", + "issueType": "MissingAttribute" }, { "queryName": "Header JSON Reference Does Not Exist", "severity": "INFO", "line": 21, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.headers.X-Pages.$ref", + "searchValue": "", + "expectedValue": "wPages from #/components/headers/wPages should be declared on components.headers", + "actualValue": "wPages from #/components/headers/wPages is not declared on components.headers", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/test/positive_expected_result.json index 718e08c300a..023d39158de 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Link JSON Reference Does Not Exist", "severity": "INFO", "line": 26, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.links.$ref", + "searchValue": "", + "expectedValue": "APIWrongRepository from #/components/links/APIWrongRepository should be declared on components.links", + "actualValue": "APIWrongRepository from #/components/links/APIWrongRepository is not declared on components.links", + "issueType": "MissingAttribute" }, { "queryName": "Link JSON Reference Does Not Exist", "severity": "INFO", "line": 20, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.links.$ref", + "searchValue": "", + "expectedValue": "APIWrongRepository from #/components/links/APIWrongRepository should be declared on components.links", + "actualValue": "APIWrongRepository from #/components/links/APIWrongRepository is not declared on components.links", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json index ed1353b2cd2..fc49f650877 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Parameter JSON Reference Does Not Exist (v3)", "severity": "INFO", "line": 19, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.$ref={{#/components/parameters/wrongParameter}}", + "searchValue": "", + "expectedValue": "wrongParameter from #/components/parameters/wrongParameter should be declared on components.parameters", + "actualValue": "wrongParameter from #/components/parameters/wrongParameter is not declared on components.parameters", + "issueType": "MissingAttribute" }, { "queryName": "Parameter JSON Reference Does Not Exist (v3)", "severity": "INFO", "line": 14, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.$ref={{#/components/parameters/wrongParameter}}", + "searchValue": "", + "expectedValue": "wrongParameter from #/components/parameters/wrongParameter should be declared on components.parameters", + "actualValue": "wrongParameter from #/components/parameters/wrongParameter is not declared on components.parameters", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/test/positive_expected_result.json index bf43445e0fd..6ec18472a5f 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Request Body JSON Reference Does Not Exist", "severity": "INFO", "line": 18, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.$ref", + "searchValue": "", + "expectedValue": "MyWrongObjectBody from #/components/requestBodies/MyWrongObjectBody should be declared on components.requestBodies", + "actualValue": "MyWrongObjectBody from #/components/requestBodies/MyWrongObjectBody is not declared on components.requestBodies", + "issueType": "MissingAttribute" }, { "queryName": "Request Body JSON Reference Does Not Exist", "severity": "INFO", "line": 14, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.$ref", + "searchValue": "", + "expectedValue": "MyWrongObjectBody from #/components/requestBodies/MyWrongObjectBody should be declared on components.requestBodies", + "actualValue": "MyWrongObjectBody from #/components/requestBodies/MyWrongObjectBody is not declared on components.requestBodies", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/test/positive_expected_result.json index 34b8bd7edd6..a1bbc548b88 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Response JSON Reference Does Not Exist (v3)", "severity": "INFO", "line": 14, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.404.$ref", + "searchValue": "", + "expectedValue": "NotRight from #/components/responses/NotRight should be declared on components.responses", + "actualValue": "NotRight from #/components/responses/NotRight is not declared on components.responses", + "issueType": "MissingAttribute" }, { "queryName": "Response JSON Reference Does Not Exist (v3)", "severity": "INFO", "line": 12, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.404.$ref", + "searchValue": "", + "expectedValue": "NotRight from #/components/responses/NotRight should be declared on components.responses", + "actualValue": "NotRight from #/components/responses/NotRight is not declared on components.responses", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/test/positive_expected_result.json index 43ce02549c2..b17b708a97f 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Schema JSON Reference Does Not Exist (v3)", "severity": "INFO", "line": 14, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref", + "searchValue": "", + "expectedValue": "MyWrongObject from #/components/schemas/MyWrongObject should be declared on components.schemas", + "actualValue": "MyWrongObject from #/components/schemas/MyWrongObject is not declared on components.schemas", + "issueType": "MissingAttribute" }, { "queryName": "Schema JSON Reference Does Not Exist (v3)", "severity": "INFO", "line": 13, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref", + "searchValue": "", + "expectedValue": "MyWrongObject from #/components/schemas/MyWrongObject should be declared on components.schemas", + "actualValue": "MyWrongObject from #/components/schemas/MyWrongObject is not declared on components.schemas", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/3.0/link_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/link_object_incorrect_ref/test/positive_expected_result.json index e95637f1c8f..1d512cf4cbd 100644 --- a/assets/queries/openAPI/3.0/link_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/link_object_incorrect_ref/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Link Object Incorrect Ref", "severity": "INFO", "line": 52, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.NotFound.links.{{l}}.$ref", + "searchValue": "", + "expectedValue": "Link ref points to '#/components/links'", + "actualValue": "Link ref does not point to '#/components/links'", + "issueType": "IncorrectValue" }, { "queryName": "Link Object Incorrect Ref", "severity": "INFO", "line": 27, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.links.{{l}}.$ref", + "searchValue": "", + "expectedValue": "Link ref points to '#/components/links'", + "actualValue": "Link ref does not point to '#/components/links'", + "issueType": "IncorrectValue" }, { "queryName": "Link Object Incorrect Ref", "severity": "INFO", "line": 34, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.NotFound.links.{{l}}.$ref", + "searchValue": "", + "expectedValue": "Link ref points to '#/components/links'", + "actualValue": "Link ref does not point to '#/components/links'", + "issueType": "IncorrectValue" }, { "queryName": "Link Object Incorrect Ref", "severity": "INFO", "line": 21, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.links.{{l}}.$ref", + "searchValue": "", + "expectedValue": "Link ref points to '#/components/links'", + "actualValue": "Link ref does not point to '#/components/links'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/test/positive_expected_result.json b/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/test/positive_expected_result.json index c082fa90f9c..c3b8594f577 100644 --- a/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Link Object OperationId Does Not Target Operation Object", "severity": "INFO", "line": 71, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{200}}.links.{{address}}.operationId", + "searchValue": "", + "expectedValue": "components.responses.200.links.address.operationId points to an operationId of an operation object", + "actualValue": "components.responses.200.links.address.operationId does not point to an operationId of an operation object", + "issueType": "IncorrectValue" }, { "queryName": "Link Object OperationId Does Not Target Operation Object", "severity": "INFO", "line": 28, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/test}}.{{get}}.responses.{{200}}.links.{{address}}.operationId", + "searchValue": "", + "expectedValue": "paths/test.get.responses.200.links.address.operationId points to an operationId of an operation object", + "actualValue": "paths./test.get.responses.200.links.address.operationId does not point to an operationId of an operation object", + "issueType": "IncorrectValue" }, { "queryName": "Link Object OperationId Does Not Target Operation Object", "severity": "INFO", "line": 68, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.links.{{address}}.operationId", + "searchValue": "", + "expectedValue": "components.links.{{address}}.operationId points to an operationId of an operation object", + "actualValue": "components.links.{{address}}.operationId does not point to an operationId of an operation object", + "issueType": "IncorrectValue" }, { "queryName": "Link Object OperationId Does Not Target Operation Object", "severity": "INFO", "line": 51, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{200}}.links.{{address}}.operationId", + "searchValue": "", + "expectedValue": "components.responses.200.links.address.operationId points to an operationId of an operation object", + "actualValue": "components.responses.200.links.address.operationId does not point to an operationId of an operation object", + "issueType": "IncorrectValue" }, { "queryName": "Link Object OperationId Does Not Target Operation Object", "severity": "INFO", "line": 21, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/test}}.{{get}}.responses.{{200}}.links.{{address}}.operationId", + "searchValue": "", + "expectedValue": "paths/test.get.responses.200.links.address.operationId points to an operationId of an operation object", + "actualValue": "paths./test.get.responses.200.links.address.operationId does not point to an operationId of an operation object", + "issueType": "IncorrectValue" }, { "queryName": "Link Object OperationId Does Not Target Operation Object", "severity": "INFO", "line": 43, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.links.{{address}}.operationId", + "searchValue": "", + "expectedValue": "components.links.{{address}}.operationId points to an operationId of an operation object", + "actualValue": "components.links.{{address}}.operationId does not point to an operationId of an operation object", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/test/positive_expected_result.json index 162537e1ebe..3eca9abdc5e 100644 --- a/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Link Object With Both 'operationId' And 'operationRef'", "severity": "INFO", "line": 70, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{200}}.links.{{address}}", + "searchValue": "", + "expectedValue": "components.responses.200.links.address has both 'operationId' and 'operationRef' defined", + "actualValue": "components.responses.200.links.address does not have both 'operationId' and 'operationRef' defined", + "issueType": "IncorrectValue" }, { "queryName": "Link Object With Both 'operationId' And 'operationRef'", "severity": "INFO", "line": 27, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}", + "searchValue": "", + "expectedValue": "paths/.get.responses.200.links.address has both 'operationId' and 'operationRef' defined", + "actualValue": "paths./.get.responses.200.links.address does not have both 'operationId' and 'operationRef' defined", + "issueType": "IncorrectValue" }, { "queryName": "Link Object With Both 'operationId' And 'operationRef'", "severity": "INFO", "line": 67, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.links.{{address}}", + "searchValue": "", + "expectedValue": "components.links.address has both 'operationId' and 'operationRef' defined", + "actualValue": "components.links.address does not have both 'operationId' and 'operationRef' defined", + "issueType": "IncorrectValue" }, { "queryName": "Link Object With Both 'operationId' And 'operationRef'", "severity": "INFO", "line": 50, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{200}}.links.{{address}}", + "searchValue": "", + "expectedValue": "components.responses.200.links.address has both 'operationId' and 'operationRef' defined", + "actualValue": "components.responses.200.links.address does not have both 'operationId' and 'operationRef' defined", + "issueType": "IncorrectValue" }, { "queryName": "Link Object With Both 'operationId' And 'operationRef'", "severity": "INFO", "line": 20, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}", + "searchValue": "", + "expectedValue": "paths/.get.responses.200.links.address has both 'operationId' and 'operationRef' defined", + "actualValue": "paths./.get.responses.200.links.address does not have both 'operationId' and 'operationRef' defined", + "issueType": "IncorrectValue" }, { "queryName": "Link Object With Both 'operationId' And 'operationRef'", "severity": "INFO", "line": 42, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.links.{{address}}", + "searchValue": "", + "expectedValue": "components.links.address has both 'operationId' and 'operationRef' defined", + "actualValue": "components.links.address does not have both 'operationId' and 'operationRef' defined", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/media_type_object_without_schema/test/positive_expected_result.json b/assets/queries/openAPI/3.0/media_type_object_without_schema/test/positive_expected_result.json index ec22d4c9219..72ed49d48ab 100644 --- a/assets/queries/openAPI/3.0/media_type_object_without_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/media_type_object_without_schema/test/positive_expected_result.json @@ -3,60 +3,130 @@ "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", "line": 16, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content[application/json]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", "line": 49, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content[multipart/data]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", "line": 16, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content[application/json]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", "line": 28, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.content[multipart/form-data]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", "line": 26, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.requestBody.content[text/plain]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", "line": 14, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content[application/json]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", "line": 31, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content[multipart/form-data]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", "line": 14, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content[application/json]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", "line": 20, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.content[multipart/form-data]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", "line": 20, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.requestBody.content[text/plain]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json index c3483dcaf82..dc33d65495b 100644 --- a/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "OAuth2 With Implicit Flow", "severity": "MEDIUM", "line": 58, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.flows.implicit", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}}.flows should not use 'implicit' flow", + "actualValue": "components.securitySchemes.{{petstore_auth}}.flows is using 'implicit' flow", + "issueType": "IncorrectValue" }, { "queryName": "OAuth2 With Implicit Flow", "severity": "MEDIUM", "line": 34, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.flows.implicit", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}}.flows should not use 'implicit' flow", + "actualValue": "components.securitySchemes.{{petstore_auth}}.flows is using 'implicit' flow", + "issueType": "IncorrectValue" }, { "queryName": "OAuth2 With Implicit Flow", "severity": "MEDIUM", "line": 37, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{oAuth2AuthCode}}.flows.implicit", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{oAuth2AuthCode}}.flows should not use 'implicit' flow", + "actualValue": "components.securitySchemes.{{oAuth2AuthCode}}.flows is using 'implicit' flow", + "issueType": "IncorrectValue" }, { "queryName": "OAuth2 With Implicit Flow", "severity": "MEDIUM", "line": 27, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{oAuth2AuthCode}}.flows.implicit", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{oAuth2AuthCode}}.flows should not use 'implicit' flow", + "actualValue": "components.securitySchemes.{{oAuth2AuthCode}}.flows is using 'implicit' flow", + "issueType": "IncorrectValue" }, { "queryName": "OAuth2 With Implicit Flow", "severity": "MEDIUM", "line": 31, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{oAuth2AuthCode2}}.flows.implicit", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{oAuth2AuthCode2}}.flows should not use 'implicit' flow", + "actualValue": "components.securitySchemes.{{oAuth2AuthCode2}}.flows is using 'implicit' flow", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/oauth2_with_password_flow/test/positive_expected_result.json b/assets/queries/openAPI/3.0/oauth2_with_password_flow/test/positive_expected_result.json index 544127a05d8..817536de59b 100644 --- a/assets/queries/openAPI/3.0/oauth2_with_password_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/oauth2_with_password_flow/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "OAuth2 With Password Flow", "severity": "MEDIUM", "line": 58, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.flows.password", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}}.flows do not contain an 'password' flow", + "actualValue": "components.securitySchemes.{{petstore_auth}}.flows contain an 'password' flow", + "issueType": "IncorrectValue" }, { "queryName": "OAuth2 With Password Flow", "severity": "MEDIUM", "line": 34, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.flows.password", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}}.flows do not contain an 'password' flow", + "actualValue": "components.securitySchemes.{{petstore_auth}}.flows contain an 'password' flow", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/object_without_required_property/test/positive_expected_result.json b/assets/queries/openAPI/3.0/object_without_required_property/test/positive_expected_result.json index f156b8ece08..a9fdab49fbc 100644 --- a/assets/queries/openAPI/3.0/object_without_required_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/object_without_required_property/test/positive_expected_result.json @@ -3,108 +3,234 @@ "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 3, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info", + "searchValue": "", + "expectedValue": "info has all required fields", + "actualValue": "info is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 2, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info", + "searchValue": "", + "expectedValue": "info has all required fields", + "actualValue": "info is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 9, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get", + "searchValue": "", + "expectedValue": "get has all required fields", + "actualValue": "get is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 12, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.servers", + "searchValue": "", + "expectedValue": "servers has all required fields", + "actualValue": "servers is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 7, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get", + "searchValue": "", + "expectedValue": "get has all required fields", + "actualValue": "get is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 10, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.servers", + "searchValue": "", + "expectedValue": "servers has all required fields", + "actualValue": "servers is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 54, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody", + "searchValue": "", + "expectedValue": "requestBody has all required fields", + "actualValue": "requestBody is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 62, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.MyObjectBody", + "searchValue": "", + "expectedValue": "requestBodies has all required fields", + "actualValue": "requestBodies is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 65, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.MyObjectBody_2", + "searchValue": "", + "expectedValue": "requestBodies has all required fields", + "actualValue": "requestBodies is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 32, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody", + "searchValue": "", + "expectedValue": "requestBody has all required fields", + "actualValue": "requestBody is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 36, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.MyObjectBody", + "searchValue": "", + "expectedValue": "requestBodies has all required fields", + "actualValue": "requestBodies is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 38, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.MyObjectBody_2", + "searchValue": "", + "expectedValue": "requestBodies has all required fields", + "actualValue": "requestBodies is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 27, - "filename": "positive7.json" + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200", + "searchValue": "", + "expectedValue": "responses has all required fields", + "actualValue": "responses is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 55, - "filename": "positive7.json" + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "parameters has all required fields", + "actualValue": "parameters is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 72, - "filename": "positive7.json" + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.IdParam", + "searchValue": "", + "expectedValue": "parameters has all required fields", + "actualValue": "parameters is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 18, - "filename": "positive8.yaml" + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200", + "searchValue": "", + "expectedValue": "responses has all required fields", + "actualValue": "responses is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 32, - "filename": "positive8.yaml" + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "parameters has all required fields", + "actualValue": "parameters is missing required fields", + "issueType": "IncorrectValue" }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 42, - "filename": "positive8.yaml" + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.IdParam", + "searchValue": "", + "expectedValue": "parameters has all required fields", + "actualValue": "parameters is missing required fields", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/test/positive_expected_result.json index 99c86a1a63c..f1b56fb6d8b 100644 --- a/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Parameter Object Content With Multiple Entries", "severity": "INFO", "line": 11, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./.get.parameters", + "searchValue": "", + "expectedValue": "paths./.get.parameters.0.content has one entry", + "actualValue": "paths./.get.parameters.0.content has multiple entries", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object Content With Multiple Entries", "severity": "INFO", "line": 78, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./user/{id}.parameters", + "searchValue": "", + "expectedValue": "paths./user/{id}.parameters.0.content has one entry", + "actualValue": "paths./user/{id}.parameters.0.content has multiple entries", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object Content With Multiple Entries", "severity": "INFO", "line": 44, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters", + "searchValue": "", + "expectedValue": "components.parameters.idParam.content has one entry", + "actualValue": "components.parameters.idParam.content has multiple entries", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object Content With Multiple Entries", "severity": "INFO", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./.get.parameters", + "searchValue": "", + "expectedValue": "paths./.get.parameters.0.content has one entry", + "actualValue": "paths./.get.parameters.0.content has multiple entries", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object Content With Multiple Entries", "severity": "INFO", "line": 48, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./user/{id}.parameters", + "searchValue": "", + "expectedValue": "paths./user/{id}.parameters.0.content has one entry", + "actualValue": "paths./user/{id}.parameters.0.content has multiple entries", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object Content With Multiple Entries", "severity": "INFO", "line": 26, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters", + "searchValue": "", + "expectedValue": "components.parameters.idParam.content has one entry", + "actualValue": "components.parameters.idParam.content has multiple entries", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/test/positive_expected_result.json index d2e84125b05..486e8250950 100644 --- a/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Parameter Object With Incorrect Ref (v3)", "severity": "INFO", "line": 56, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.$ref=#path/parameters/idParam", + "searchValue": "", + "expectedValue": "Parameter Object ref points to '#/components/parameters'", + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object With Incorrect Ref (v3)", "severity": "INFO", "line": 59, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.$ref=#components/schemas/idParam", + "searchValue": "", + "expectedValue": "Parameter Object ref points to '#/components/parameters'", + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object With Incorrect Ref (v3)", "severity": "INFO", "line": 67, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/user/id}}.get.parameters.$ref=#path/parameters/idParam", + "searchValue": "", + "expectedValue": "Parameter Object ref points to '#/components/parameters'", + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object With Incorrect Ref (v3)", "severity": "INFO", - "line": 46, - "filename": "positive2.yaml" + "line": 41, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.$ref=#path/parameters/idParam", + "searchValue": "", + "expectedValue": "Parameter Object ref points to '#/components/parameters'", + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object With Incorrect Ref (v3)", "severity": "INFO", - "line": 41, - "filename": "positive2.yaml" + "line": 42, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.$ref=#components/schemas/idParam", + "searchValue": "", + "expectedValue": "Parameter Object ref points to '#/components/parameters'", + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object With Incorrect Ref (v3)", "severity": "INFO", - "line": 42, - "filename": "positive2.yaml" + "line": 46, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/user/id}}.get.parameters.$ref=#path/parameters/idParam", + "searchValue": "", + "expectedValue": "Parameter Object ref points to '#/components/parameters'", + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/parameter_object_schema_content/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_schema_content/test/positive_expected_result.json index 31e4d7c7525..74fa8623901 100644 --- a/assets/queries/openAPI/3.0/parameter_object_schema_content/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_schema_content/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Parameter Object With Schema And Content", "severity": "INFO", "line": 43, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", + "actualValue": "Parameter Object has both 'schema' and 'content' defined", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object With Schema And Content", "severity": "INFO", "line": 73, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", + "actualValue": "Parameter Object has both 'schema' and 'content' defined", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object With Schema And Content", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", + "actualValue": "Parameter Object has both 'schema' and 'content' defined", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object With Schema And Content", "severity": "INFO", "line": 45, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", + "actualValue": "Parameter Object has both 'schema' and 'content' defined", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object With Schema And Content", "severity": "INFO", "line": 20, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi.components.parameters.name={{limit}}", + "searchValue": "", + "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", + "actualValue": "Parameter Object has both 'schema' and 'content' defined", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Object With Schema And Content", "severity": "INFO", "line": 16, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi.components.parameters.name={{limit}}", + "searchValue": "", + "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", + "actualValue": "Parameter Object has both 'schema' and 'content' defined", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/parameter_object_undefined_type/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_undefined_type/test/positive_expected_result.json index 45a055a7e39..44495c9079f 100644 --- a/assets/queries/openAPI/3.0/parameter_object_undefined_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_undefined_type/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Parameter Object With Undefined Type", "severity": "INFO", "line": 43, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters type should be defined%!(EXTRA string=id)", + "actualValue": "paths.{{/}}.parameters type is not defined%!(EXTRA string=id)", + "issueType": "MissingAttribute" }, { "queryName": "Parameter Object With Undefined Type", "severity": "INFO", "line": 55, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.{{get}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.{{get}}.parameters type should be defined%!(EXTRA string=id)", + "actualValue": "paths.{{/users/{id}}}.{{get}}.parameters type is not defined%!(EXTRA string=id)", + "issueType": "MissingAttribute" }, { "queryName": "Parameter Object With Undefined Type", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters type should be defined%!(EXTRA string=id)", + "actualValue": "paths.{{/}}.parameters type is not defined%!(EXTRA string=id)", + "issueType": "MissingAttribute" }, { "queryName": "Parameter Object With Undefined Type", "severity": "INFO", "line": 40, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.{{get}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.{{get}}.parameters type should be defined%!(EXTRA string=id)", + "actualValue": "paths.{{/users/{id}}}.{{get}}.parameters type is not defined%!(EXTRA string=id)", + "issueType": "MissingAttribute" }, { "queryName": "Parameter Object With Undefined Type", "severity": "INFO", "line": 10, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi.components.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "openapi.components.parameters type should be defined%!(EXTRA string=id)", + "actualValue": "openapi.components.parameters type is not defined%!(EXTRA string=id)", + "issueType": "MissingAttribute" }, { "queryName": "Parameter Object With Undefined Type", "severity": "INFO", "line": 8, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi.components.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "openapi.components.parameters type should be defined%!(EXTRA string=id)", + "actualValue": "openapi.components.parameters type is not defined%!(EXTRA string=id)", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/3.0/parameter_object_without_schema/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_without_schema/test/positive_expected_result.json index b6873a7ca41..0e11c76c875 100644 --- a/assets/queries/openAPI/3.0/parameter_object_without_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_without_schema/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", "line": 11, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", "line": 64, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/user/}}.parameters", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", "line": 44, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", "line": 39, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/user/}}.parameters", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", "line": 26, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/3.0/path_server_uses_http/test/positive_expected_result.json b/assets/queries/openAPI/3.0/path_server_uses_http/test/positive_expected_result.json index e4d4cafd7a9..169df0fda70 100644 --- a/assets/queries/openAPI/3.0/path_server_uses_http/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/path_server_uses_http/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Path Server Object Uses HTTP (v3)", "severity": "MEDIUM", "line": 18, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.url={{http://staging.gigantic-server.com/v1}}", + "searchValue": "", + "expectedValue": "Path Server Object url uses 'HTTPS' protocol", + "actualValue": "Path Server Object url uses 'HTTP' protocol", + "issueType": "IncorrectValue" }, { "queryName": "Path Server Object Uses HTTP (v3)", "severity": "MEDIUM", "line": 15, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.url={{http://api.gigantic-server.com/v1}}", + "searchValue": "", + "expectedValue": "Path Server Object url uses 'HTTPS' protocol", + "actualValue": "Path Server Object url uses 'HTTP' protocol", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/test/positive_expected_result.json index a454d70f7e3..13670d64c13 100644 --- a/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Property 'allowEmptyValue' Ignored", "severity": "INFO", "line": 47, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.allowEmptyValue", + "searchValue": "", + "expectedValue": "Property 'allowEmptyValue' should not be ignored", + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Ignored", "severity": "INFO", "line": 30, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.allowEmptyValue", + "searchValue": "", + "expectedValue": "Property 'allowEmptyValue' should not be ignored", + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Ignored", "severity": "INFO", "line": 12, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.allowEmptyValue", + "searchValue": "", + "expectedValue": "Property 'allowEmptyValue' should not be ignored", + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Ignored", "severity": "INFO", "line": 32, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.allowEmptyValue", + "searchValue": "", + "expectedValue": "Property 'allowEmptyValue' should not be ignored", + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Ignored", "severity": "INFO", "line": 16, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.allowEmptyValue", + "searchValue": "", + "expectedValue": "Property 'allowEmptyValue' should not be ignored", + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Ignored", "severity": "INFO", "line": 31, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.allowEmptyValue", + "searchValue": "", + "expectedValue": "Property 'allowEmptyValue' should not be ignored", + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/test/positive_expected_result.json index cd75a47c8cc..bf70fa4ea3f 100644 --- a/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Property 'allowReserved' of Encoding Object Ignored", "severity": "INFO", "line": 49, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowReserved' of Encoding Object Ignored", "severity": "INFO", "line": 43, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowReserved' of Encoding Object Ignored", "severity": "INFO", "line": 31, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowReserved' of Encoding Object Ignored", "severity": "INFO", "line": 30, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/test/positive_expected_result.json index cd1698bb853..94f9f17af64 100644 --- a/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/test/positive_expected_result.json @@ -2,37 +2,79 @@ { "queryName": "Property 'allowReserved' Improperly Defined", "severity": "INFO", - "line": 59, - "filename": "positive1.json" + "line": 43, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", + "actualValue": "paths.{{/}}.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowReserved' Improperly Defined", "severity": "INFO", - "line": 43, - "filename": "positive1.json" + "line": 59, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths./users/{id}.get.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", + "actualValue": "paths./users/{id}.get.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowReserved' Improperly Defined", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", + "actualValue": "paths.{{/}}.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowReserved' Improperly Defined", "severity": "INFO", "line": 37, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths./users/{id}.get.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", + "actualValue": "paths./users/{id}.get.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowReserved' Improperly Defined", "severity": "INFO", "line": 43, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", + "actualValue": "paths.{{/}}.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowReserved' Improperly Defined", "severity": "INFO", "line": 26, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", + "actualValue": "paths.{{/}}.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/test/positive_expected_result.json index bf8e259e7a7..77b6b58af3e 100644 --- a/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Property 'explode' of Encoding Object Ignored", "severity": "INFO", "line": 49, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'explode' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'explode' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'explode' of Encoding Object Ignored", "severity": "INFO", "line": 43, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'explode' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'explode' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'explode' of Encoding Object Ignored", "severity": "INFO", "line": 31, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'explode' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'explode' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'explode' of Encoding Object Ignored", "severity": "INFO", "line": 30, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'explode' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'explode' is set", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/test/positive_expected_result.json index 3d983fd274a..0ea20132cd2 100644 --- a/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Property 'style' of Encoding Object Ignored", "severity": "INFO", "line": 49, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'style' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'style' of Encoding Object Ignored", "severity": "INFO", "line": 43, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'style' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'style' of Encoding Object Ignored", "severity": "INFO", "line": 31, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'style' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'style' of Encoding Object Ignored", "severity": "INFO", "line": 30, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'style' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/request_body_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/request_body_incorrect_ref/test/positive_expected_result.json index b3841d340d5..fb1a8bce307 100644 --- a/assets/queries/openAPI/3.0/request_body_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/request_body_incorrect_ref/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Request Body With Incorrect Ref", "severity": "INFO", "line": 30, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.$ref", + "searchValue": "", + "expectedValue": "Request body ref points to '#/components/requestBodies'", + "actualValue": "Request body ref doesn't point to '#/components/requestBodies'", + "issueType": "IncorrectValue" }, { "queryName": "Request Body With Incorrect Ref", "severity": "INFO", "line": 22, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.$ref", + "searchValue": "", + "expectedValue": "Request body ref points to '#/components/requestBodies'", + "actualValue": "Request body ref doesn't point to '#/components/requestBodies'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/test/positive_expected_result.json b/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/test/positive_expected_result.json index f86cfec9b30..fcce9ac31d7 100644 --- a/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Request Body Object With Incorrect Media Type", "severity": "INFO", "line": 64, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{application/json}}.encoding", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{application/json}} should be 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{application/json}} is not 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "issueType": "IncorrectValue" }, { "queryName": "Request Body Object With Incorrect Media Type", "severity": "INFO", "line": 43, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}} should be 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}} is not 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "issueType": "IncorrectValue" }, { "queryName": "Request Body Object With Incorrect Media Type", "severity": "INFO", "line": 41, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{application/json}}.encoding", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{application/json}} should be 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{application/json}} is not 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "issueType": "IncorrectValue" }, { "queryName": "Request Body Object With Incorrect Media Type", "severity": "INFO", "line": 30, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}} should be 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}} is not 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/response_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/response_object_incorrect_ref/test/positive_expected_result.json index 620d091d27d..9d200a6650b 100644 --- a/assets/queries/openAPI/3.0/response_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/response_object_incorrect_ref/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Response Object With Incorrect Ref (v3)", "severity": "INFO", "line": 44, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.{{200}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/components/responses'", + "actualValue": "Response ref does not point to '#/components/responses'", + "issueType": "IncorrectValue" }, { "queryName": "Response Object With Incorrect Ref (v3)", "severity": "INFO", "line": 27, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.{{200}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/components/responses'", + "actualValue": "Response ref does not point to '#/components/responses'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/schema_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/schema_object_incorrect_ref/test/positive_expected_result.json index a756e5b90c4..7c01336a2dc 100644 --- a/assets/queries/openAPI/3.0/schema_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/schema_object_incorrect_ref/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Schema Object Incorrect Ref (v3)", "severity": "INFO", "line": 76, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema reference points to '#components/schemas'", + "actualValue": "Schema reference does not point to '#components/schemas'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Incorrect Ref (v3)", "severity": "INFO", "line": 16, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema reference points to '#components/schemas'", + "actualValue": "Schema reference does not point to '#components/schemas'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Incorrect Ref (v3)", "severity": "INFO", "line": 46, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema reference points to '#components/schemas'", + "actualValue": "Schema reference does not point to '#components/schemas'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Incorrect Ref (v3)", "severity": "INFO", "line": 16, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema reference points to '#components/schemas'", + "actualValue": "Schema reference does not point to '#components/schemas'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/test/positive_expected_result.json b/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/test/positive_expected_result.json index 436d3542a45..6049d19bcf6 100644 --- a/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Schema With Both ReadOnly And WriteOnly", "severity": "INFO", "line": 50, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}} should not have both 'writeOnly' and 'readOnly' set to true", + "actualValue": "components.schemas.{{GeneralError}} has both 'writeOnly' and 'readOnly' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Schema With Both ReadOnly And WriteOnly", "severity": "INFO", "line": 22, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should not have both 'writeOnly' and 'readOnly' set to true", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema has both 'writeOnly' and 'readOnly' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Schema With Both ReadOnly And WriteOnly", "severity": "INFO", "line": 27, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}} should not have both 'writeOnly' and 'readOnly' set to true", + "actualValue": "components.schemas.{{GeneralError}} has both 'writeOnly' and 'readOnly' set to true", + "issueType": "IncorrectValue" }, { "queryName": "Schema With Both ReadOnly And WriteOnly", "severity": "INFO", "line": 15, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should not have both 'writeOnly' and 'readOnly' set to true", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema has both 'writeOnly' and 'readOnly' set to true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/security_field_undefined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_field_undefined/test/positive_expected_result.json index 99678c04b86..aa0ed1d7b00 100644 --- a/assets/queries/openAPI/3.0/security_field_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_field_undefined/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Security Field Undefined", "severity": "INFO", "line": 45, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute" }, { "queryName": "Security Field Undefined", "severity": "INFO", "line": 45, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute" }, { "queryName": "Security Field Undefined", "severity": "INFO", "line": 26, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute" }, { "queryName": "Security Field Undefined", "severity": "INFO", "line": 26, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/3.0/security_operation_field_undefined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_operation_field_undefined/test/positive_expected_result.json index 0592b8d8dc9..427054ebf4a 100644 --- a/assets/queries/openAPI/3.0/security_operation_field_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_operation_field_undefined/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Security Operation Field Undefined", "severity": "INFO", "line": 14, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.petstore_auth", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "paths.{{/}}.{{get}}.security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute" }, { "queryName": "Security Operation Field Undefined", "severity": "INFO", "line": 14, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.petstore_auth", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "paths.{{/}}.{{get}}.security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute" }, { "queryName": "Security Operation Field Undefined", "severity": "INFO", "line": 11, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.petstore_auth", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "paths.{{/}}.{{get}}.security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute" }, { "queryName": "Security Operation Field Undefined", "severity": "INFO", "line": 11, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.petstore_auth", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "paths.{{/}}.{{get}}.security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/test/positive_expected_result.json index 855e0f4389d..8fbf2f1545c 100644 --- a/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Security Requirement Object With Wrong Scopes", "severity": "INFO", "line": 9, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.api_key", + "searchValue": "", + "expectedValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "actualValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "issueType": "IncorrectValue" }, { "queryName": "Security Requirement Object With Wrong Scopes", "severity": "INFO", "line": 6, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.api_key", + "searchValue": "", + "expectedValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "actualValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "issueType": "IncorrectValue" }, { "queryName": "Security Requirement Object With Wrong Scopes", "severity": "INFO", "line": 28, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/pets}}.get.security.api_key", + "searchValue": "", + "expectedValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "actualValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "issueType": "IncorrectValue" }, { "queryName": "Security Requirement Object With Wrong Scopes", "severity": "INFO", "line": 19, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/pets}}.get.security.api_key", + "searchValue": "", + "expectedValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "actualValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/security_scheme_undefined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_scheme_undefined/test/positive_expected_result.json index 7fe97f3cda0..5c42a706442 100644 --- a/assets/queries/openAPI/3.0/security_scheme_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_scheme_undefined/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Field 'securityScheme' On Components Is Undefined", "severity": "MEDIUM", "line": 2, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi", + "searchValue": "", + "expectedValue": "A security scheme on components should be defined", + "actualValue": "Components is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Field 'securityScheme' On Components Is Undefined", "severity": "MEDIUM", "line": 43, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components", + "searchValue": "", + "expectedValue": "A security scheme on components should be defined", + "actualValue": "A security scheme is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Field 'securityScheme' On Components Is Undefined", "severity": "MEDIUM", "line": 44, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes", + "searchValue": "", + "expectedValue": "A security scheme on components should be defined", + "actualValue": "A security scheme is an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Field 'securityScheme' On Components Is Undefined", "severity": "MEDIUM", "line": 1, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi", + "searchValue": "", + "expectedValue": "A security scheme on components should be defined", + "actualValue": "Components is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Field 'securityScheme' On Components Is Undefined", "severity": "MEDIUM", "line": 25, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components", + "searchValue": "", + "expectedValue": "A security scheme on components should be defined", + "actualValue": "A security scheme is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Field 'securityScheme' On Components Is Undefined", "severity": "MEDIUM", "line": 26, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes", + "searchValue": "", + "expectedValue": "A security scheme on components should be defined", + "actualValue": "A security scheme is an empty object", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/security_scheme_using_http_basic/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_scheme_using_http_basic/test/positive_expected_result.json index aa4a27d8581..802ad4a765a 100644 --- a/assets/queries/openAPI/3.0/security_scheme_using_http_basic/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_scheme_using_http_basic/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Security Scheme Using HTTP Basic", "severity": "LOW", "line": 57, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'basic' authentication", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'basic' authentication", + "issueType": "IncorrectValue" }, { "queryName": "Security Scheme Using HTTP Basic", "severity": "LOW", "line": 33, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'basic' authentication", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'basic' authentication", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/security_scheme_using_http_digest/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_scheme_using_http_digest/test/positive_expected_result.json index 22356392f89..181a883e1d9 100644 --- a/assets/queries/openAPI/3.0/security_scheme_using_http_digest/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_scheme_using_http_digest/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Security Scheme Using HTTP Digest", "severity": "LOW", "line": 57, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'digest' authentication", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'digest' authentication", + "issueType": "IncorrectValue" }, { "queryName": "Security Scheme Using HTTP Digest", "severity": "LOW", "line": 33, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'digest' authentication", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'digest' authentication", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/test/positive_expected_result.json index fe5a5c177ac..192f59478c5 100644 --- a/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Security Scheme Using HTTP Negotiate", "severity": "LOW", "line": 57, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'negotiate' authentication", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'negotiate' authentication", + "issueType": "IncorrectValue" }, { "queryName": "Security Scheme Using HTTP Negotiate", "severity": "LOW", "line": 33, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'negotiate' authentication", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'negotiate' authentication", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/test/positive_expected_result.json index 14942d4e108..23ea85d3778 100644 --- a/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Security Scheme HTTP Unknown Scheme", "severity": "MEDIUM", "line": 57, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}}.scheme is registered in the IANA Authentication Scheme registry", + "actualValue": "components.securitySchemes.{{petstore_auth}}.scheme is not registered in the IANA Authentication Scheme registry", + "issueType": "IncorrectValue" }, { "queryName": "Security Scheme HTTP Unknown Scheme", "severity": "MEDIUM", "line": 33, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}}.scheme is registered in the IANA Authentication Scheme registry", + "actualValue": "components.securitySchemes.{{petstore_auth}}.scheme is not registered in the IANA Authentication Scheme registry", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/security_schemes_using_oauth/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_schemes_using_oauth/test/positive_expected_result.json index bab0376f9f5..b987e334f12 100644 --- a/assets/queries/openAPI/3.0/security_schemes_using_oauth/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_schemes_using_oauth/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Security Scheme Using Oauth 1.0", "severity": "LOW", "line": 55, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use oauth 1.0 security scheme", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses oauth 1.0 security scheme", + "issueType": "IncorrectValue" }, { "queryName": "Security Scheme Using Oauth 1.0", "severity": "LOW", "line": 31, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use oauth 1.0 security scheme", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses oauth 1.0 security scheme", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/server_object_variable_not_used/test/positive_expected_result.json b/assets/queries/openAPI/3.0/server_object_variable_not_used/test/positive_expected_result.json index 09f4d215b99..ebbdb1de06d 100644 --- a/assets/queries/openAPI/3.0/server_object_variable_not_used/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/server_object_variable_not_used/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Server Object Variable Not Used", "severity": "INFO", "line": 38, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}} is used in 'paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url'", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}} is not used in 'paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url'", + "issueType": "IncorrectValue" }, { "queryName": "Server Object Variable Not Used", "severity": "INFO", "line": 35, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.variables.{{base}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.servers.variables.{{base}} is used in 'paths.{{/}}.{{get}}.servers.{{0}}.url'", + "actualValue": "paths.{{/}}.{{get}}.servers.variables.{{base}} is not used in 'paths.{{/}}.{{get}}.servers.{{0}}.url '", + "issueType": "IncorrectValue" }, { "queryName": "Server Object Variable Not Used", "severity": "INFO", "line": 30, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}} is used in 'paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url'", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}} is not used in 'paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url'", + "issueType": "IncorrectValue" }, { "queryName": "Server Object Variable Not Used", "severity": "INFO", "line": 25, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.variables.{{base}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.servers.variables.{{base}} is used in 'paths.{{/}}.{{get}}.servers.{{0}}.url'", + "actualValue": "paths.{{/}}.{{get}}.servers.variables.{{base}} is not used in 'paths.{{/}}.{{get}}.servers.{{0}}.url '", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/server_url_not_absolute/test/positive_expected_result.json b/assets/queries/openAPI/3.0/server_url_not_absolute/test/positive_expected_result.json index b7f1e790c41..65f23ae6648 100644 --- a/assets/queries/openAPI/3.0/server_url_not_absolute/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/server_url_not_absolute/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Server URL Not Absolute", "severity": "INFO", "line": 30, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url has an absolute URL", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not have an absolute URL", + "issueType": "IncorrectValue" }, { "queryName": "Server URL Not Absolute", "severity": "INFO", "line": 32, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.url=/development.gigantic-server.com/v1", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.servers.{{0}}.url has an absolute URL", + "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not have an absolute URL", + "issueType": "IncorrectValue" }, { "queryName": "Server URL Not Absolute", "severity": "INFO", "line": 24, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url has an absolute URL", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not have an absolute URL", + "issueType": "IncorrectValue" }, { "queryName": "Server URL Not Absolute", "severity": "INFO", "line": 22, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.url=/development.gigantic-server.com/v1", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.servers.{{0}}.url has an absolute URL", + "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not have an absolute URL", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/test/positive_expected_result.json b/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/test/positive_expected_result.json index 6816f4e3949..b1e16150003 100644 --- a/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Server URL Uses Undefined Variables", "severity": "INFO", "line": 30, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url uses server object variables defined in the server object variables", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not use server object variables defined in the server object variables", + "issueType": "IncorrectValue" }, { "queryName": "Server URL Uses Undefined Variables", "severity": "INFO", "line": 32, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.url=https://development.{server}.com/{base}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.servers.{{0}}.url uses server object variables defined in the server object variables", + "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not use server object variables defined in the server object variables", + "issueType": "IncorrectValue" }, { "queryName": "Server URL Uses Undefined Variables", "severity": "INFO", "line": 24, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url uses server object variables defined in the server object variables", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not use server object variables defined in the server object variables", + "issueType": "IncorrectValue" }, { "queryName": "Server URL Uses Undefined Variables", "severity": "INFO", "line": 22, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.url=https://development.{server}.com/{base}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.servers.{{0}}.url uses server object variables defined in the server object variables", + "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not use server object variables defined in the server object variables", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/servers_undefined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/servers_undefined/test/positive_expected_result.json index ac32cb6058d..d59185ca9f2 100644 --- a/assets/queries/openAPI/3.0/servers_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/servers_undefined/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Servers Array Undefined", "severity": "INFO", "line": 2, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi", + "searchValue": "", + "expectedValue": "Servers array has at least one server defined", + "actualValue": "Servers array does not have at least one server defined", + "issueType": "MissingAttribute" }, { "queryName": "Servers Array Undefined", "severity": "INFO", "line": 43, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "servers", + "searchValue": "", + "expectedValue": "Servers array has at least one server defined", + "actualValue": "Servers array is empty", + "issueType": "IncorrectValue" }, { "queryName": "Servers Array Undefined", "severity": "INFO", "line": 1, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi", + "searchValue": "", + "expectedValue": "Servers array has at least one server defined", + "actualValue": "Servers array does not have at least one server defined", + "issueType": "MissingAttribute" }, { "queryName": "Servers Array Undefined", "severity": "INFO", "line": 25, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "servers", + "searchValue": "", + "expectedValue": "Servers array has at least one server defined", + "actualValue": "Servers array is empty", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json b/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json index ef6cef28d07..032063b58c6 100644 --- a/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Success Response Code Undefined for Trace Operation", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.trace.responses", + "searchValue": "", + "expectedValue": "Trace should have the '200' successful code set", + "actualValue": "Trace does not have the '200' successful code set", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Trace Operation", "severity": "LOW", "line": 10, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.trace.responses", + "searchValue": "", + "expectedValue": "Trace should have the '200' successful code set", + "actualValue": "Trace does not have the '200' successful code set", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json b/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json index f69ced81316..1e4cf39ab6b 100644 --- a/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Undefined Scope 'securityScheme' On Global 'security' Field", "severity": "LOW", "line": 26, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue" }, { "queryName": "Undefined Scope 'securityScheme' On Global 'security' Field", "severity": "LOW", "line": 26, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue" }, { "queryName": "Undefined Scope 'securityScheme' On Global 'security' Field", "severity": "LOW", "line": 18, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue" }, { "queryName": "Undefined Scope 'securityScheme' On Global 'security' Field", "severity": "LOW", "line": 17, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json b/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json index 95d8ff3ab0d..6e24f0ec8b5 100644 --- a/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Undefined Scope 'securityScheme' On 'security' Field On Operations", "severity": "LOW", "line": 15, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue" }, { "queryName": "Undefined Scope 'securityScheme' On 'security' Field On Operations", "severity": "LOW", "line": 15, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue" }, { "queryName": "Undefined Scope 'securityScheme' On 'security' Field On Operations", "severity": "LOW", "line": 13, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue" }, { "queryName": "Undefined Scope 'securityScheme' On 'security' Field On Operations", "severity": "LOW", "line": 12, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/unknown_prefix/test/positive_expected_result.json b/assets/queries/openAPI/3.0/unknown_prefix/test/positive_expected_result.json index 0e4a3242196..0bbfeaaee4d 100644 --- a/assets/queries/openAPI/3.0/unknown_prefix/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/unknown_prefix/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Unknown Prefix (v3)", "severity": "INFO", "line": 53, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.ResponseExample.content.{{applicasdsadtion/json}}", + "searchValue": "", + "expectedValue": "components.responses.ResponseExample.content.{{applicasdsadtion/json}} is a known prefix", + "actualValue": "components.responses.ResponseExample.content.{{applicasdsadtion/json}} is an unknown prefix", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Prefix (v3)", "severity": "INFO", "line": 19, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{ddddd/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{ddddd/json}} is a known prefix", + "actualValue": "paths.{{/}}.get.responses.200.content.{{ddddd/json}} is an unknown prefix", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Prefix (v3)", "severity": "INFO", "line": 30, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.ResponseExample.content.{{sssssss/json}}", + "searchValue": "", + "expectedValue": "components.responses.ResponseExample.content.{{sssssss/json}} is a known prefix", + "actualValue": "components.responses.ResponseExample.content.{{sssssss/json}} is an unknown prefix", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Prefix (v3)", "severity": "INFO", "line": 14, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{applicatisdsdsdon/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{applicatisdsdsdon/json}} is a known prefix", + "actualValue": "paths.{{/}}.get.responses.200.content.{{applicatisdsdsdon/json}} is an unknown prefix", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/3.0/unknown_property/test/positive_expected_result.json b/assets/queries/openAPI/3.0/unknown_property/test/positive_expected_result.json index c95c29decd1..0505237918b 100644 --- a/assets/queries/openAPI/3.0/unknown_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/unknown_property/test/positive_expected_result.json @@ -3,60 +3,130 @@ "queryName": "Unknown Property (v3)", "severity": "INFO", "line": 14, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.descrinnption", + "searchValue": "", + "expectedValue": "The field 'descrinnption' is known in the responses object", + "actualValue": "The field 'descrinnption' is unknown in the responses object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v3)", "severity": "INFO", "line": 28, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.desdddcription", + "searchValue": "", + "expectedValue": "The field 'desdddcription' is known in the tags object", + "actualValue": "The field 'desdddcription' is unknown in the tags object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v3)", "severity": "INFO", "line": 3, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "infjnjnjno", + "searchValue": "", + "expectedValue": "The field 'infjnjnjno' is known in the openapi object", + "actualValue": "The field 'infjnjnjno' is unknown in the openapi object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v3)", "severity": "INFO", "line": 20, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.tybhbhbpe:", + "searchValue": "", + "expectedValue": "The field 'tybhbhbpe:' is known in the schema object", + "actualValue": "The field 'tybhbhbpe:' is unknown in the schema object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v3)", "severity": "INFO", "line": 20, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.callbacks.inProgress.{{{$request.body#/inProgressUrl}}}.pbhbhbost", + "searchValue": "", + "expectedValue": "The field 'pbhbhbost' is known in the callbacks object", + "actualValue": "The field 'pbhbhbost' is unknown in the callbacks object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v3)", "severity": "INFO", "line": 12, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.descrinnption", + "searchValue": "", + "expectedValue": "The field 'descrinnption' is known in the responses object", + "actualValue": "The field 'descrinnption' is unknown in the responses object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v3)", "severity": "INFO", "line": 17, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.desdddcription", + "searchValue": "", + "expectedValue": "The field 'desdddcription' is known in the tags object", + "actualValue": "The field 'desdddcription' is unknown in the tags object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v3)", "severity": "INFO", "line": 2, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "infjnjnjno", + "searchValue": "", + "expectedValue": "The field 'infjnjnjno' is known in the openapi object", + "actualValue": "The field 'infjnjnjno' is unknown in the openapi object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v3)", "severity": "INFO", "line": 19, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.tybhbhbpe", + "searchValue": "", + "expectedValue": "The field 'tybhbhbpe' is known in the schema object", + "actualValue": "The field 'tybhbhbpe' is unknown in the schema object", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Property (v3)", "severity": "INFO", "line": 16, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.callbacks.inProgress.{{{$request.body#/inProgressUrl}}}.pbhbhbost", + "searchValue": "", + "expectedValue": "The field 'pbhbhbost' is known in the callbacks object", + "actualValue": "The field 'pbhbhbost' is unknown in the callbacks object", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json b/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json index de1584ca153..bf4c4ed1b53 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json @@ -3,60 +3,130 @@ "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", "line": 45, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey2", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", "line": 46, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", "line": 47, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", "line": 26, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", "line": 27, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey2", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", "line": 28, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security (v2)", "severity": "LOW", "line": 22, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security (v2)", "severity": "LOW", "line": 23, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security (v2)", "severity": "LOW", "line": 14, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Global Security (v2)", "severity": "LOW", "line": 15, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json index 7ecae3a47ac..f28632c1e37 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json @@ -3,60 +3,130 @@ "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", "line": 14, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", "line": 15, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey2", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", "line": 16, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", "line": 11, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", "line": 12, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey2", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", "line": 13, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Operation Security (v2)", "severity": "LOW", "line": 14, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Operation Security (v2)", "severity": "LOW", "line": 15, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Operation Security (v2)", "severity": "LOW", "line": 11, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" }, { "queryName": "API Key Exposed In Operation Security (v2)", "severity": "LOW", "line": 12, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/array_items_has_no_type/test/positive_expected_result.json b/assets/queries/openAPI/general/array_items_has_no_type/test/positive_expected_result.json index 55fcc467565..d1ad717e4f8 100644 --- a/assets/queries/openAPI/general/array_items_has_no_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/array_items_has_no_type/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Array Items Has No Type (v3)", "severity": "LOW", "line": 65, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyIntArray.items", + "searchValue": "", + "expectedValue": "components.schemas.MyIntArray.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "components.schemas.MyIntArray.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Items Has No Type (v3)", "severity": "LOW", "line": 22, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Items Has No Type (v3)", "severity": "LOW", "line": 21, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Items Has No Type (v3)", "severity": "LOW", "line": 42, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyIntArray.items", + "searchValue": "", + "expectedValue": "components.schemas.MyIntArray.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "components.schemas.MyIntArray.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Items Has No Type (v3)", "severity": "LOW", "line": 19, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Items Has No Type (v3)", "severity": "LOW", "line": 19, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Items Has No Type (v2)", "severity": "LOW", "line": 25, - "filename": "positive7.json" + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.items", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.parameters.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "paths.{{/}}.get.parameters.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Items Has No Type (v2)", "severity": "LOW", "line": 20, - "filename": "positive8.yaml" + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.items", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.parameters.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "paths.{{/}}.get.parameters.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/array_without_maximum_number_items/test/positive_expected_result.json b/assets/queries/openAPI/general/array_without_maximum_number_items/test/positive_expected_result.json index 656fed9e496..6840d819ab8 100644 --- a/assets/queries/openAPI/general/array_without_maximum_number_items/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/array_without_maximum_number_items/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Array Without Maximum Number of Items (v3)", "severity": "MEDIUM", "line": 56, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchValue": "", + "expectedValue": "Array schema has 'maxItems' set", + "actualValue": "Array schema has 'maxItems' undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Without Maximum Number of Items (v3)", "severity": "MEDIUM", "line": 28, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", + "searchValue": "", + "expectedValue": "Array schema has 'maxItems' set", + "actualValue": "Array schema has 'maxItems' undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Without Maximum Number of Items (v3)", "severity": "MEDIUM", "line": 32, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchValue": "", + "expectedValue": "Array schema has 'maxItems' set", + "actualValue": "Array schema has 'maxItems' undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Without Maximum Number of Items (v3)", "severity": "MEDIUM", "line": 20, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", + "searchValue": "", + "expectedValue": "Array schema has 'maxItems' set", + "actualValue": "Array schema has 'maxItems' undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Without Maximum Number of Items (v2)", "severity": "MEDIUM", "line": 31, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.properties.message.type", + "searchValue": "", + "expectedValue": "Array schema has 'maxItems' set", + "actualValue": "Array schema has 'maxItems' undefined", + "issueType": "MissingAttribute" }, { "queryName": "Array Without Maximum Number of Items (v2)", "severity": "MEDIUM", "line": 23, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.properties.message.type", + "searchValue": "", + "expectedValue": "Array schema has 'maxItems' set", + "actualValue": "Array schema has 'maxItems' undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/default_invalid/test/positive_expected_result.json b/assets/queries/openAPI/general/default_invalid/test/positive_expected_result.json index 9143a0d4044..c324581ff92 100644 --- a/assets/queries/openAPI/general/default_invalid/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/default_invalid/test/positive_expected_result.json @@ -3,60 +3,130 @@ "queryName": "Default Invalid (v3)", "severity": "INFO", "line": 21, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue" + }, + { + "queryName": "Default Invalid (v2)", + "severity": "INFO", + "line": 17, + "filename": "positive10.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue" }, { "queryName": "Default Invalid (v3)", "severity": "INFO", "line": 22, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue" }, { "queryName": "Default Invalid (v3)", "severity": "INFO", "line": 18, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue" }, { "queryName": "Default Invalid (v3)", "severity": "INFO", "line": 18, - "filename": "positive4.json" + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue" }, { "queryName": "Default Invalid (v3)", "severity": "INFO", "line": 19, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue" }, { "queryName": "Default Invalid (v3)", "severity": "INFO", "line": 20, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue" }, { "queryName": "Default Invalid (v3)", "severity": "INFO", "line": 27, - "filename": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue" }, { "queryName": "Default Invalid (v3)", "severity": "INFO", "line": 19, - "filename": "positive8.yaml" + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue" }, { "queryName": "Default Invalid (v2)", "severity": "INFO", "line": 16, - "filename": "positive9.json" - }, - { - "queryName": "Default Invalid (v2)", - "severity": "INFO", - "line": 17, - "filename": "positive10.yaml" + "filename": "positive9.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json b/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json index 9e94753493a..2716ca02c81 100644 --- a/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json @@ -3,60 +3,130 @@ "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{patch}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute" }, { "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", "line": 12, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{delete}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute" }, { "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", "line": 21, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{patch}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute" }, { "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{patch}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute" }, { "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", "line": 10, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{delete}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute" }, { "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", "line": 16, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{patch}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute" }, { "queryName": "Default Response Undefined On Operations (v2)", "severity": "LOW", "line": 12, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{delete}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute" }, { "queryName": "Default Response Undefined On Operations (v2)", "severity": "LOW", "line": 21, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{patch}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute" }, { "queryName": "Default Response Undefined On Operations (v2)", "severity": "LOW", "line": 10, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{delete}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute" }, { "queryName": "Default Response Undefined On Operations (v2)", "severity": "LOW", "line": 16, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{patch}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/example_not_compliant_with_schema_type/test/positive_expected_result.json b/assets/queries/openAPI/general/example_not_compliant_with_schema_type/test/positive_expected_result.json index 36d238dc9f7..482b043dbea 100644 --- a/assets/queries/openAPI/general/example_not_compliant_with_schema_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/example_not_compliant_with_schema_type/test/positive_expected_result.json @@ -3,84 +3,182 @@ "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", "line": 21, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.object", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type", + "issueType": "IncorrectValue" + }, + { + "queryName": "Example Not Compliant With Schema Type (v2)", + "severity": "INFO", + "line": 20, + "filename": "positive10.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.example", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.parameters.example should not be compliant with the schema type", + "actualValue": "paths.{{/}}.get.parameters.example is not compliant with the schema type", + "issueType": "IncorrectValue" + }, + { + "queryName": "Example Not Compliant With Schema Type (v2)", + "severity": "INFO", + "line": 44, + "filename": "positive11.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Tag.example", + "searchValue": "", + "expectedValue": "definitions.Tag.example should not be compliant with the schema type", + "actualValue": "definitions.Tag.example is not compliant with the schema type", + "issueType": "IncorrectValue" + }, + { + "queryName": "Example Not Compliant With Schema Type (v2)", + "severity": "INFO", + "line": 30, + "filename": "positive12.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Tag.example", + "searchValue": "", + "expectedValue": "definitions.Tag.example should not be compliant with the schema type", + "actualValue": "definitions.Tag.example is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", "line": 18, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.object", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", "line": 24, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.foo_2", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", "line": 20, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.foo_2", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", "line": 20, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.example", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.example should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.example is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", - "line": 17, - "filename": "positive6.yaml" + "line": 34, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.400.content.{{application/json}}.example", + "searchValue": "", + "expectedValue": "paths./.get.responses.400.content.application/json.example should not be compliant with the schema type", + "actualValue": "paths./.get.responses.400.content.application/json.example is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", - "line": 34, - "filename": "positive5.json" + "line": 17, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.example", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.example should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.example is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", "line": 26, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.400.content.{{application/json}}.example", + "searchValue": "", + "expectedValue": "paths./.get.responses.400.content.application/json.example should not be compliant with the schema type", + "actualValue": "paths./.get.responses.400.content.application/json.example is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", "line": 24, - "filename": "positive7.json" + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.foo", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", "line": 20, - "filename": "positive8.yaml" + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.foo", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type", + "issueType": "IncorrectValue" }, { "queryName": "Example Not Compliant With Schema Type (v2)", "severity": "INFO", "line": 25, - "filename": "positive9.json" - }, - { - "queryName": "Example Not Compliant With Schema Type (v2)", - "severity": "INFO", - "line": 20, - "filename": "positive10.yaml" - }, - { - "queryName": "Example Not Compliant With Schema Type (v2)", - "severity": "INFO", - "line": 44, - "filename": "positive11.json" - }, - { - "queryName": "Example Not Compliant With Schema Type (v2)", - "severity": "INFO", - "line": 30, - "filename": "positive12.yaml" + "filename": "positive9.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.example", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.parameters.example should not be compliant with the schema type", + "actualValue": "paths.{{/}}.get.parameters.example is not compliant with the schema type", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/global_security_field_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/global_security_field_undefined/test/positive_expected_result.json index c7de883faf8..ffcc2bc4f50 100644 --- a/assets/queries/openAPI/general/global_security_field_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/global_security_field_undefined/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Global Security Field Is Undefined (v3)", "severity": "HIGH", "line": 2, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi", + "searchValue": "", + "expectedValue": "A default security property should be defined", + "actualValue": "A default security property is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Global Security Field Is Undefined (v3)", "severity": "HIGH", "line": 1, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi", + "searchValue": "", + "expectedValue": "A default security property should be defined", + "actualValue": "A default security property is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Global Security Field Is Undefined (v2)", "severity": "HIGH", "line": 2, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "swagger", + "searchValue": "", + "expectedValue": "A default security property should be defined", + "actualValue": "A default security property is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Global Security Field Is Undefined (v2)", "severity": "HIGH", "line": 1, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "swagger", + "searchValue": "", + "expectedValue": "A default security property should be defined", + "actualValue": "A default security property is not defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/general/header_parameter_named_as_accept/test/positive_expected_result.json b/assets/queries/openAPI/general/header_parameter_named_as_accept/test/positive_expected_result.json index fc1a58f1c29..70666443603 100644 --- a/assets/queries/openAPI/general/header_parameter_named_as_accept/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/header_parameter_named_as_accept/test/positive_expected_result.json @@ -3,60 +3,130 @@ "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", "line": 43, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", "line": 58, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", "line": 36, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", "line": 43, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", "line": 26, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Accept' (v2)", "severity": "INFO", "line": 11, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Accept' (v2)", "severity": "INFO", "line": 38, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.name=Accept", + "searchValue": "", + "expectedValue": "parameters.limitParam.name=Accept should not be 'Accept'", + "actualValue": "parameters.limitParam.name=Accept is 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Accept' (v2)", "severity": "INFO", "line": 14, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Accept' (v2)", "severity": "INFO", "line": 21, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.name=Accept", + "searchValue": "", + "expectedValue": "parameters.limitParam.name=Accept should not be 'Accept'", + "actualValue": "parameters.limitParam.name=Accept is 'Accept'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/header_parameter_named_as_authorization/test/positive_expected_result.json b/assets/queries/openAPI/general/header_parameter_named_as_authorization/test/positive_expected_result.json index 91bf763ed24..eceb38f6f4e 100644 --- a/assets/queries/openAPI/general/header_parameter_named_as_authorization/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/header_parameter_named_as_authorization/test/positive_expected_result.json @@ -3,60 +3,130 @@ "queryName": "Header Parameter Named as 'Authorization' (v3)", "severity": "INFO", "line": 43, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Authorization' (v3)", "severity": "INFO", "line": 58, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Authorization' (v3)", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Authorization' (v3)", "severity": "INFO", "line": 36, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Authorization' (v3)", "severity": "INFO", "line": 43, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Authorization' (v3)", "severity": "INFO", "line": 26, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Authorization' (v2)", "severity": "INFO", "line": 11, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Authorization' (v2)", "severity": "INFO", - "line": 14, - "filename": "positive6.yaml" + "line": 38, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.name=Authorization", + "searchValue": "", + "expectedValue": "parameters.limitParam.name=Authorization should not be 'Authorization", + "actualValue": "parameters.limitParam.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Authorization' (v2)", "severity": "INFO", - "line": 38, - "filename": "positive5.json" + "line": 14, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Authorization' (v2)", "severity": "INFO", "line": 23, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.name=Authorization", + "searchValue": "", + "expectedValue": "parameters.limitParam.name=Authorization should not be 'Authorization", + "actualValue": "parameters.limitParam.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/header_parameter_named_as_content_type/test/positive_expected_result.json b/assets/queries/openAPI/general/header_parameter_named_as_content_type/test/positive_expected_result.json index f88a1ce07e1..61ca95b98f9 100644 --- a/assets/queries/openAPI/general/header_parameter_named_as_content_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/header_parameter_named_as_content_type/test/positive_expected_result.json @@ -3,60 +3,130 @@ "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", "line": 43, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", "line": 58, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", "line": 36, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", "line": 43, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", "line": 26, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Content-Type' (v2)", "severity": "INFO", "line": 11, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Content-Type' (v2)", "severity": "INFO", - "line": 14, - "filename": "positive6.yaml" + "line": 38, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.name=Content-Type", + "searchValue": "", + "expectedValue": "parameters.limitParam.name=Content-Type should not be 'Content-Type", + "actualValue": "parameters.limitParam.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Content-Type' (v2)", "severity": "INFO", - "line": 38, - "filename": "positive5.json" + "line": 14, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue" }, { "queryName": "Header Parameter Named as 'Content-Type' (v2)", "severity": "INFO", "line": 23, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.name=Content-Type", + "searchValue": "", + "expectedValue": "parameters.limitParam.name=Content-Type should not be 'Content-Type", + "actualValue": "parameters.limitParam.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json b/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json index 59f411c5bbd..674b22cbad4 100644 --- a/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Header Response Name Is Invalid (v3)", "severity": "INFO", "line": 42, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers.{{Content-Type}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers should not contain 'Content-Type'", + "actualValue": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers contains 'Content-Type'", + "issueType": "IncorrectValue" }, { "queryName": "Header Response Name Is Invalid (v3)", "severity": "INFO", "line": 28, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers.{{Content-Type}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers should not contain 'Content-Type'", + "actualValue": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers contains 'Content-Type'", + "issueType": "IncorrectValue" }, { "queryName": "Header Response Name Is Invalid (v2)", "severity": "INFO", - "line": 32, - "filename": "positive3.json" + "line": 14, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.$ref=#/responses/Success", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.headers should not contain 'Accept'", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.headers contains 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Response Name Is Invalid (v2)", "severity": "INFO", - "line": 14, - "filename": "positive3.json" + "line": 32, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.{{Success}}.headers.{{Accept}}", + "searchValue": "", + "expectedValue": "responses.{{Success}}.headers should not contain 'Accept'", + "actualValue": "responses.{{Success}}.headers contains 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Response Name Is Invalid (v2)", "severity": "INFO", - "line": 21, - "filename": "positive4.yaml" + "line": 12, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.$ref=#/responses/Success", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.headers should not contain 'Accept'", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.headers contains 'Accept'", + "issueType": "IncorrectValue" }, { "queryName": "Header Response Name Is Invalid (v2)", "severity": "INFO", - "line": 12, - "filename": "positive4.yaml" + "line": 21, + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.{{Success}}.headers.{{Accept}}", + "searchValue": "", + "expectedValue": "responses.{{Success}}.headers should not contain 'Accept'", + "actualValue": "responses.{{Success}}.headers contains 'Accept'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/invalid_contact_email/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_contact_email/test/positive_expected_result.json index 02355545843..b87a7d03da6 100644 --- a/assets/queries/openAPI/general/invalid_contact_email/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_contact_email/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Invalid Contact Email (v3)", "severity": "INFO", "line": 9, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.email", + "searchValue": "", + "expectedValue": "info.contact.email has a valid email", + "actualValue": "info.contact.email has an invalid email", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Contact Email (v3)", "severity": "INFO", "line": 8, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.email", + "searchValue": "", + "expectedValue": "info.contact.email has a valid email", + "actualValue": "info.contact.email has an invalid email", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Contact Email (v2)", "severity": "INFO", "line": 9, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.email", + "searchValue": "", + "expectedValue": "info.contact.email has a valid email", + "actualValue": "info.contact.email has an invalid email", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Contact Email (v2)", "severity": "INFO", "line": 8, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.email", + "searchValue": "", + "expectedValue": "info.contact.email has a valid email", + "actualValue": "info.contact.email has an invalid email", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/invalid_contact_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_contact_url/test/positive_expected_result.json index be38431be9a..087298dba58 100644 --- a/assets/queries/openAPI/general/invalid_contact_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_contact_url/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Invalid Contact URL (v3)", "severity": "INFO", "line": 8, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.url", + "searchValue": "", + "expectedValue": "info.contact.url has a valid URL", + "actualValue": "info.contact.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Contact URL (v3)", "severity": "INFO", "line": 7, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.url", + "searchValue": "", + "expectedValue": "info.contact.url has a valid URL", + "actualValue": "info.contact.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Contact URL (v2)", "severity": "INFO", "line": 8, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.url", + "searchValue": "", + "expectedValue": "info.contact.url has a valid URL", + "actualValue": "info.contact.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Contact URL (v2)", "severity": "INFO", "line": 7, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.url", + "searchValue": "", + "expectedValue": "info.contact.url has a valid URL", + "actualValue": "info.contact.url has an invalid URL", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json index 20563981948..9ca5660dacd 100644 --- a/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json @@ -3,96 +3,208 @@ "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 14, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 14, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 33, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.myObject.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 33, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.myObject.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 37, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.length.format=float", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is float format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 53, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.id.format=double", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 61, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.percentage.format=int32", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 12, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 12, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 26, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.myObject.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 26, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.myObject.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 29, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.length.format=float", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is float format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 37, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.id.format=double", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 43, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.percentage.format=int32", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v2)", "severity": "LOW", "line": 42, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.percentage.format=int32", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Format (v2)", "severity": "LOW", "line": 33, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.percentage.format=int32", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/invalid_global_external_documentation_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_global_external_documentation_url/test/positive_expected_result.json index 1d7fb0622da..cc181bfa982 100644 --- a/assets/queries/openAPI/general/invalid_global_external_documentation_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_global_external_documentation_url/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Invalid Global External Documentation URL (v3)", "severity": "INFO", "line": 49, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "externalDocs.url", + "searchValue": "", + "expectedValue": "externalDocs.url has a valid URL", + "actualValue": "externalDocs.url does not have a valid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Global External Documentation URL (v3)", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "externalDocs.url", + "searchValue": "", + "expectedValue": "externalDocs.url has a valid URL", + "actualValue": "externalDocs.url does not have a valid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Global External Documentation URL (v2)", "severity": "INFO", "line": 26, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "externalDocs.url", + "searchValue": "", + "expectedValue": "externalDocs.url has a valid URL", + "actualValue": "externalDocs.url does not have a valid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Global External Documentation URL (v2)", "severity": "INFO", "line": 14, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "externalDocs.url", + "searchValue": "", + "expectedValue": "externalDocs.url has a valid URL", + "actualValue": "externalDocs.url does not have a valid URL", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/invalid_license_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_license_url/test/positive_expected_result.json index ec8f7d58e7c..737dfa58fa0 100644 --- a/assets/queries/openAPI/general/invalid_license_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_license_url/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Invalid License URL (v3)", "severity": "INFO", "line": 8, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.license.url", + "searchValue": "", + "expectedValue": "info.license.url has a valid URL", + "actualValue": "info.license.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid License URL (v3)", "severity": "INFO", "line": 7, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.license.url", + "searchValue": "", + "expectedValue": "info.license.url has a valid URL", + "actualValue": "info.license.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid License URL (v2)", "severity": "INFO", "line": 8, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.license.url", + "searchValue": "", + "expectedValue": "info.license.url has a valid URL", + "actualValue": "info.license.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid License URL (v2)", "severity": "INFO", "line": 7, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.license.url", + "searchValue": "", + "expectedValue": "info.license.url has a valid URL", + "actualValue": "info.license.url has an invalid URL", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/invalid_operation_external_documentation_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_operation_external_documentation_url/test/positive_expected_result.json index cebaacbd067..b78a783a1f2 100644 --- a/assets/queries/openAPI/general/invalid_operation_external_documentation_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_operation_external_documentation_url/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Invalid Operation External Documentation URL (v3)", "severity": "INFO", "line": 18, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.externalDocs.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.externalDocs.url has a valid URL", + "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Operation External Documentation URL (v3)", "severity": "INFO", "line": 11, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.externalDocs.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.externalDocs.url has a valid URL", + "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Operation External Documentation URL (v2)", "severity": "INFO", "line": 18, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.externalDocs.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.externalDocs.url has a valid URL", + "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Operation External Documentation URL (v2)", "severity": "INFO", "line": 15, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.externalDocs.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.externalDocs.url has a valid URL", + "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/invalid_schema_external_documentation_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_schema_external_documentation_url/test/positive_expected_result.json index bb4b1586ea2..a44cb972002 100644 --- a/assets/queries/openAPI/general/invalid_schema_external_documentation_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_schema_external_documentation_url/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Invalid Schema External Documentation URL (v3)", "severity": "INFO", "line": 61, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{User}}.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Schema External Documentation URL (v3)", "severity": "INFO", "line": 24, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Schema External Documentation URL (v3)", "severity": "INFO", "line": 35, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{User}}.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Schema External Documentation URL (v3)", "severity": "INFO", "line": 17, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Schema External Documentation URL (v2)", "severity": "INFO", "line": 22, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Schema External Documentation URL (v2)", "severity": "INFO", - "line": 37, - "filename": "positive7.json" + "line": 15, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Schema External Documentation URL (v2)", "severity": "INFO", - "line": 15, - "filename": "positive6.yaml" + "line": 37, + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{User}}.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Schema External Documentation URL (v2)", "severity": "INFO", "line": 22, - "filename": "positive8.yaml" + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{User}}.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/invalid_tag_external_documentation_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_tag_external_documentation_url/test/positive_expected_result.json index 7dd0106fbc0..3fc63ae3a20 100644 --- a/assets/queries/openAPI/general/invalid_tag_external_documentation_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_tag_external_documentation_url/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Invalid Tag External Documentation URL (v3)", "severity": "INFO", "line": 53, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=pets", + "searchValue": "", + "expectedValue": "tags[0].externalDocs.url has a valid URL", + "actualValue": "tags[0].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Tag External Documentation URL (v3)", "severity": "INFO", "line": 57, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=store", + "searchValue": "", + "expectedValue": "tags[1].externalDocs.url has a valid URL", + "actualValue": "tags[1].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Tag External Documentation URL (v3)", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=pets", + "searchValue": "", + "expectedValue": "tags[0].externalDocs.url has a valid URL", + "actualValue": "tags[0].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Tag External Documentation URL (v3)", "severity": "INFO", "line": 30, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=store", + "searchValue": "", + "expectedValue": "tags[1].externalDocs.url has a valid URL", + "actualValue": "tags[1].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Tag External Documentation URL (v2)", "severity": "INFO", "line": 30, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=pets", + "searchValue": "", + "expectedValue": "tags[0].externalDocs.url has a valid URL", + "actualValue": "tags[0].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Tag External Documentation URL (v2)", "severity": "INFO", "line": 34, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=store", + "searchValue": "", + "expectedValue": "tags[1].externalDocs.url has a valid URL", + "actualValue": "tags[1].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Tag External Documentation URL (v2)", "severity": "INFO", "line": 18, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=pets", + "searchValue": "", + "expectedValue": "tags[0].externalDocs.url has a valid URL", + "actualValue": "tags[0].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Tag External Documentation URL (v2)", "severity": "INFO", "line": 22, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=store", + "searchValue": "", + "expectedValue": "tags[1].externalDocs.url has a valid URL", + "actualValue": "tags[1].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/items_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/items_undefined/test/positive_expected_result.json index 7b8e7e75477..c9e1fa9f3bc 100644 --- a/assets/queries/openAPI/general/items_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/items_undefined/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Items Undefined (v3)", "severity": "INFO", "line": 50, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError", + "searchValue": "", + "expectedValue": "Array items property should be defined", + "actualValue": "Array items property is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Items Undefined (v3)", "severity": "INFO", "line": 22, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "Array items property should be defined", + "actualValue": "Array items property is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Items Undefined (v3)", "severity": "INFO", "line": 27, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError", + "searchValue": "", + "expectedValue": "Array items property should be defined", + "actualValue": "Array items property is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Items Undefined (v3)", "severity": "INFO", "line": 15, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "Array items property should be defined", + "actualValue": "Array items property is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Items Undefined (v2)", "severity": "INFO", "line": 19, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "Array items property should be defined", + "actualValue": "Array items property is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Items Undefined (v2)", "severity": "INFO", "line": 16, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "Array items property should be defined", + "actualValue": "Array items property is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/general/json_object_schema_without_properties/test/positive_expected_result.json b/assets/queries/openAPI/general/json_object_schema_without_properties/test/positive_expected_result.json index 8e6db880f46..39802601fd9 100644 --- a/assets/queries/openAPI/general/json_object_schema_without_properties/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/json_object_schema_without_properties/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "JSON Object Schema Without Properties (v3)", "severity": "MEDIUM", "line": 67, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'properties' defined", + "actualValue": "Schema of the JSON object does not have 'properties' defined", + "issueType": "MissingAttribute" }, { "queryName": "JSON Object Schema Without Properties (v3)", "severity": "MEDIUM", "line": 16, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'properties' defined", + "actualValue": "Schema of the JSON object does not have 'properties' defined", + "issueType": "MissingAttribute" }, { "queryName": "JSON Object Schema Without Properties (v3)", "severity": "MEDIUM", "line": 40, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'properties' defined", + "actualValue": "Schema of the JSON object does not have 'properties' defined", + "issueType": "MissingAttribute" }, { "queryName": "JSON Object Schema Without Properties (v3)", "severity": "MEDIUM", "line": 16, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'properties' defined", + "actualValue": "Schema of the JSON object does not have 'properties' defined", + "issueType": "MissingAttribute" }, { "queryName": "JSON Object Schema Without Properties (v2)", "severity": "MEDIUM", "line": 16, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'properties' defined", + "actualValue": "Schema of the JSON object does not have 'properties' defined", + "issueType": "MissingAttribute" }, { "queryName": "JSON Object Schema Without Properties (v2)", "severity": "MEDIUM", "line": 14, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'properties' defined", + "actualValue": "Schema of the JSON object does not have 'properties' defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/general/json_object_schema_without_type/test/positive_expected_result.json b/assets/queries/openAPI/general/json_object_schema_without_type/test/positive_expected_result.json index e3a9d38a52e..63adcac878d 100644 --- a/assets/queries/openAPI/general/json_object_schema_without_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/json_object_schema_without_type/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "JSON Object Schema Without Type (v3)", "severity": "MEDIUM", "line": 75, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'type' defined", + "actualValue": "Schema of the JSON object does not have 'type' defined", + "issueType": "MissingAttribute" }, { "queryName": "JSON Object Schema Without Type (v3)", "severity": "MEDIUM", "line": 16, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'type' defined", + "actualValue": "Schema of the JSON object does not have 'type' defined", + "issueType": "MissingAttribute" }, { "queryName": "JSON Object Schema Without Type (v3)", "severity": "MEDIUM", "line": 45, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'type' defined", + "actualValue": "Schema of the JSON object does not have 'type' defined", + "issueType": "MissingAttribute" }, { "queryName": "JSON Object Schema Without Type (v3)", "severity": "MEDIUM", "line": 16, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'type' defined", + "actualValue": "Schema of the JSON object does not have 'type' defined", + "issueType": "MissingAttribute" }, { "queryName": "JSON Object Schema Without Type (v2)", "severity": "MEDIUM", "line": 16, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'type' defined", + "actualValue": "Schema of the JSON object does not have 'type' defined", + "issueType": "MissingAttribute" }, { "queryName": "JSON Object Schema Without Type (v2)", "severity": "MEDIUM", "line": 14, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'type' defined", + "actualValue": "Schema of the JSON object does not have 'type' defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/general/json_ref_alongside_properties/test/positive_expected_result.json b/assets/queries/openAPI/general/json_ref_alongside_properties/test/positive_expected_result.json index acf698353a8..b1db17887ee 100644 --- a/assets/queries/openAPI/general/json_ref_alongside_properties/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/json_ref_alongside_properties/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "JSON '$ref' alongside other properties (v3)", "severity": "INFO", "line": 17, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "Only '$ref' property should be declared or other properties declared without '$ref'", + "actualValue": "Property '$ref'alongside other properties", + "issueType": "MissingAttribute" }, { "queryName": "JSON '$ref' alongside other properties (v3)", "severity": "INFO", "line": 15, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "Only '$ref' property should be declared or other properties declared without '$ref'", + "actualValue": "Property '$ref'alongside other properties", + "issueType": "MissingAttribute" }, { "queryName": "JSON '$ref' alongside other properties (v2)", "severity": "INFO", "line": 13, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "Only '$ref' property should be declared or other properties declared without '$ref'", + "actualValue": "Property '$ref'alongside other properties", + "issueType": "MissingAttribute" }, { "queryName": "JSON '$ref' alongside other properties (v2)", "severity": "INFO", "line": 13, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "Only '$ref' property should be declared or other properties declared without '$ref'", + "actualValue": "Property '$ref'alongside other properties", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json index 5db48637405..3f2d706360b 100644 --- a/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json @@ -3,126 +3,273 @@ "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 58, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 62, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 77, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 77, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 27, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 31, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 34, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 37, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 47, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 47, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 22, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 25, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", "line": 23, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", "line": 27, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", "line": 19, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", "line": 22, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", "line": 23, - "filename": "positive7.json" + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", "line": 28, - "filename": "positive7.json" + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", "line": 28, - "filename": "positive8.json" + "filename": "positive8.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 46, - "filename": "positive9.json" + "filename": "positive9.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/api/adjectives}}.get.parameters.schema.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 55, - "filename": "positive9.json" + "filename": "positive9.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/api/adjectives}}.get.parameters.schema.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/no_global_and_operation_security_defined/test/positive_expected_result.json b/assets/queries/openAPI/general/no_global_and_operation_security_defined/test/positive_expected_result.json index a993a6d228d..cb75d676a8c 100644 --- a/assets/queries/openAPI/general/no_global_and_operation_security_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/no_global_and_operation_security_defined/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "No Global And Operation Security Defined (v3)", "severity": "HIGH", "line": 9, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}", + "searchValue": "", + "expectedValue": "A security schema should be used", + "actualValue": "No security schema is used", + "issueType": "MissingAttribute" }, { "queryName": "No Global And Operation Security Defined (v3)", "severity": "HIGH", "line": 46, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}", + "searchValue": "", + "expectedValue": "A security schema should be used", + "actualValue": "No security schema is used", + "issueType": "MissingAttribute" }, { "queryName": "No Global And Operation Security Defined (v3)", "severity": "HIGH", "line": 7, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}", + "searchValue": "", + "expectedValue": "A security schema should be used", + "actualValue": "No security schema is used", + "issueType": "MissingAttribute" }, { "queryName": "No Global And Operation Security Defined (v3)", "severity": "HIGH", "line": 27, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}", + "searchValue": "", + "expectedValue": "A security schema should be used", + "actualValue": "No security schema is used", + "issueType": "MissingAttribute" }, { "queryName": "No Global And Operation Security Defined (v2)", "severity": "HIGH", "line": 7, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}", + "searchValue": "", + "expectedValue": "A security schema should be used", + "actualValue": "No security schema is used", + "issueType": "MissingAttribute" }, { "queryName": "No Global And Operation Security Defined (v2)", "severity": "HIGH", "line": 9, - "filename": "positive6.json" + "filename": "positive6.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}", + "searchValue": "", + "expectedValue": "A security schema should be used", + "actualValue": "No security schema is used", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json b/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json index 24f9f0d6019..49d38fc219a 100644 --- a/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Non-Array Schema With Items (v3)", "severity": "INFO", "line": 52, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.items", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue" }, { "queryName": "Non-Array Schema With Items (v3)", "severity": "INFO", "line": 24, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.items", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue" }, { "queryName": "Non-Array Schema With Items (v3)", "severity": "INFO", "line": 29, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.items", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue" }, { "queryName": "Non-Array Schema With Items (v3)", "severity": "INFO", "line": 17, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.items", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue" }, { "queryName": "Non-Array Schema With Items (v2)", "severity": "INFO", - "line": 44, - "filename": "positive5.json" + "line": 22, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users}}.get.responses.200.schema.items.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue" }, { "queryName": "Non-Array Schema With Items (v2)", "severity": "INFO", - "line": 32, - "filename": "positive6.yaml" + "line": 44, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.User.properties.name.items", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue" }, { "queryName": "Non-Array Schema With Items (v2)", "severity": "INFO", - "line": 22, - "filename": "positive5.json" + "line": 19, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users}}.get.responses.200.schema.items.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue" }, { "queryName": "Non-Array Schema With Items (v2)", "severity": "INFO", - "line": 19, - "filename": "positive6.yaml" + "line": 32, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.User.properties.name.items", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json b/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json index 86c83d955eb..cd707491e08 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Numeric Schema Without Format (v3)", "severity": "LOW", "line": 58, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Format (v3)", "severity": "LOW", "line": 75, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Format (v3)", "severity": "LOW", "line": 27, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Format (v3)", "severity": "LOW", "line": 34, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Format (v3)", "severity": "LOW", "line": 46, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Format (v3)", "severity": "LOW", "line": 22, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Format (v2)", "severity": "LOW", "line": 23, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Format (v2)", "severity": "LOW", "line": 20, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json b/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json index 544f422d0eb..d6b444a7183 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Numeric Schema Without Maximum (v3)", "severity": "LOW", "line": 58, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Maximum (v3)", "severity": "LOW", "line": 75, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Maximum (v3)", "severity": "LOW", "line": 27, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Maximum (v3)", "severity": "LOW", "line": 34, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Maximum (v3)", "severity": "LOW", "line": 46, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Maximum (v3)", "severity": "LOW", "line": 22, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Maximum (v2)", "severity": "LOW", "line": 23, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Maximum (v2)", "severity": "LOW", "line": 20, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json b/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json index d33e3fd50ff..3da88123176 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Numeric Schema Without Minimum (v3)", "severity": "LOW", "line": 58, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Minimum (v3)", "severity": "LOW", "line": 74, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Minimum (v3)", "severity": "LOW", "line": 27, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Minimum (v3)", "severity": "LOW", "line": 34, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Minimum (v3)", "severity": "LOW", "line": 45, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Minimum (v3)", "severity": "LOW", "line": 22, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Minimum (v2)", "severity": "LOW", "line": 23, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute" }, { "queryName": "Numeric Schema Without Minimum (v2)", "severity": "LOW", "line": 20, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json b/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json index 7768016a5b1..1490bf2bba0 100644 --- a/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Object Using Enum With Keyword (v3)", "severity": "INFO", "line": 42, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.Cat.allOf.huntingSkill", + "searchValue": "", + "expectedValue": "Cat.allOf.components.schemas.properties.huntingSkill should not contain 'enum' and schema keyword", + "actualValue": "Cat.allOf.components.schemas.properties.huntingSkill contains 'enum' and schema keyword 'minLength'", + "issueType": "IncorrectValue" }, { "queryName": "Object Using Enum With Keyword (v3)", "severity": "INFO", "line": 32, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.Cat.allOf.huntingSkill", + "searchValue": "", + "expectedValue": "Cat.allOf.components.schemas.properties.huntingSkill should not contain 'enum' and schema keyword", + "actualValue": "Cat.allOf.components.schemas.properties.huntingSkill contains 'enum' and schema keyword 'minLength'", + "issueType": "IncorrectValue" }, { "queryName": "Object Using Enum With Keyword (v2)", "severity": "INFO", "line": 39, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Cat.allOf.huntingSkill", + "searchValue": "", + "expectedValue": "Cat.allOf.definitions.properties.huntingSkill should not contain 'enum' and schema keyword", + "actualValue": "Cat.allOf.definitions.properties.huntingSkill contains 'enum' and schema keyword 'minLength'", + "issueType": "IncorrectValue" }, { "queryName": "Object Using Enum With Keyword (v2)", "severity": "INFO", "line": 29, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Cat.allOf.huntingSkill", + "searchValue": "", + "expectedValue": "Cat.allOf.definitions.properties.huntingSkill should not contain 'enum' and schema keyword", + "actualValue": "Cat.allOf.definitions.properties.huntingSkill contains 'enum' and schema keyword 'minLength'", + "issueType": "IncorrectValue" }, { "queryName": "Object Using Enum With Keyword (v2)", "severity": "INFO", "line": 29, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.huntingSkill", + "searchValue": "", + "expectedValue": "/.get.parameters.paths.schema.properties.huntingSkill should not contain 'enum' and schema keyword", + "actualValue": "/.get.parameters.paths.schema.properties.huntingSkill contains 'enum' and schema keyword 'minLength'", + "issueType": "IncorrectValue" }, { "queryName": "Object Using Enum With Keyword (v2)", "severity": "INFO", "line": 31, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.huntingSkill", + "searchValue": "", + "expectedValue": "/.get.parameters.paths.schema.properties.huntingSkill should not contain 'enum' and schema keyword", + "actualValue": "/.get.parameters.paths.schema.properties.huntingSkill contains 'enum' and schema keyword 'minLength'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/operation_id_not_unique/test/positive_expected_result.json b/assets/queries/openAPI/general/operation_id_not_unique/test/positive_expected_result.json index 9d062f0bb69..51f561b6005 100644 --- a/assets/queries/openAPI/general/operation_id_not_unique/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/operation_id_not_unique/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "OperationId Not Unique (v3)", "severity": "INFO", "line": 15, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.operationId is unique", + "actualValue": "paths.{{/}}.{{get}}.operationId is not unique", + "issueType": "IncorrectValue" }, { "queryName": "OperationId Not Unique (v3)", "severity": "INFO", "line": 46, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{post}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{post}}.operationId is unique", + "actualValue": "paths.{{/}}.{{post}}.operationId is not unique", + "issueType": "IncorrectValue" }, { "queryName": "OperationId Not Unique (v3)", "severity": "INFO", "line": 8, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.operationId is unique", + "actualValue": "paths.{{/}}.{{get}}.operationId is not unique", + "issueType": "IncorrectValue" }, { "queryName": "OperationId Not Unique (v3)", "severity": "INFO", "line": 25, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{post}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{post}}.operationId is unique", + "actualValue": "paths.{{/}}.{{post}}.operationId is not unique", + "issueType": "IncorrectValue" }, { "queryName": "OperationId Not Unique (v2)", "severity": "INFO", "line": 15, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.operationId is unique", + "actualValue": "paths.{{/}}.{{get}}.operationId is not unique", + "issueType": "IncorrectValue" }, { "queryName": "OperationId Not Unique (v2)", "severity": "INFO", "line": 23, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{post}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{post}}.operationId is unique", + "actualValue": "paths.{{/}}.{{post}}.operationId is not unique", + "issueType": "IncorrectValue" }, { "queryName": "OperationId Not Unique (v2)", "severity": "INFO", "line": 8, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.operationId is unique", + "actualValue": "paths.{{/}}.{{get}}.operationId is not unique", + "issueType": "IncorrectValue" }, { "queryName": "OperationId Not Unique (v2)", "severity": "INFO", "line": 13, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{post}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{post}}.operationId is unique", + "actualValue": "paths.{{/}}.{{post}}.operationId is not unique", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/operation_without_successful_http_status_code/test/positive_expected_result.json b/assets/queries/openAPI/general/operation_without_successful_http_status_code/test/positive_expected_result.json index f00373706ce..02cf840f8d6 100644 --- a/assets/queries/openAPI/general/operation_without_successful_http_status_code/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/operation_without_successful_http_status_code/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Operation Without Successful HTTP Status Code (v3)", "severity": "INFO", "line": 12, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses has at least one successful HTTP status code defined", + "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined", + "issueType": "MissingAttribute" }, { "queryName": "Operation Without Successful HTTP Status Code (v3)", "severity": "INFO", "line": 10, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses has at least one successful HTTP status code defined", + "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined", + "issueType": "MissingAttribute" }, { "queryName": "Operation Without Successful HTTP Status Code (v2)", "severity": "INFO", "line": 12, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses has at least one successful HTTP status code defined", + "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined", + "issueType": "MissingAttribute" }, { "queryName": "Operation Without Successful HTTP Status Code (v2)", "severity": "INFO", "line": 10, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses has at least one successful HTTP status code defined", + "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/general/parameter_objects_headers_dup_name/test/positive_expected_result.json b/assets/queries/openAPI/general/parameter_objects_headers_dup_name/test/positive_expected_result.json index 89ef84063db..790415688fa 100644 --- a/assets/queries/openAPI/general/parameter_objects_headers_dup_name/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/parameter_objects_headers_dup_name/test/positive_expected_result.json @@ -2,121 +2,261 @@ { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 68, - "filename": "positive1.json" + "line": 14, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=id", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=id)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 82, - "filename": "positive1.json" + "line": 28, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=ID", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=ID)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 14, - "filename": "positive1.json" + "line": 68, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 28, - "filename": "positive1.json" + "line": 82, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 10, - "filename": "positive3.json" + "line": 11, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=id", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=id)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 24, - "filename": "positive3.json" + "line": 21, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=ID", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=ID)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 53, - "filename": "positive2.yaml" + "line": 43, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 43, - "filename": "positive2.yaml" + "line": 53, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 11, - "filename": "positive2.yaml" + "line": 10, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.token.name=token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 21, - "filename": "positive2.yaml" + "line": 24, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.Token.name=Token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", "line": 8, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.token.name=token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", "line": 19, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.Token.name=Token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 39, - "filename": "positive5.json" + "line": 11, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 47, - "filename": "positive5.json" + "line": 18, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 11, - "filename": "positive5.json" + "line": 39, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.oneParam.name=Token2", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token2)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 18, - "filename": "positive5.json" + "line": 47, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.anotherParam.name=token2", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token2)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 32, - "filename": "positive6.yaml" + "line": 14, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 26, - "filename": "positive6.yaml" + "line": 19, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 14, - "filename": "positive6.yaml" + "line": 26, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.oneParam.name=Token2", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token2)", + "issueType": "IncorrectValue" }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 19, - "filename": "positive6.yaml" + "line": 32, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.anotherParam.name=token2", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token2)", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/parameters_name_in_not_unique/test/positive_expected_result.json b/assets/queries/openAPI/general/parameters_name_in_not_unique/test/positive_expected_result.json index 1ae56a9527b..cc0a543f54a 100644 --- a/assets/queries/openAPI/general/parameters_name_in_not_unique/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/parameters_name_in_not_unique/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Parameters Name In Combination Not Unique (v3)", "severity": "INFO", "line": 28, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.limitJSONParam.name", + "searchValue": "", + "expectedValue": "Parameter has unique 'name' and 'in' combinations", + "actualValue": "Parameter does not have unique 'name' and 'in' combinations", + "issueType": "IncorrectValue" }, { "queryName": "Parameters Name In Combination Not Unique (v3)", "severity": "INFO", - "line": 18, - "filename": "positive2.yaml" + "line": 37, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.otherJSONParam.name", + "searchValue": "", + "expectedValue": "Parameter has unique 'name' and 'in' combinations", + "actualValue": "Parameter does not have unique 'name' and 'in' combinations", + "issueType": "IncorrectValue" }, { "queryName": "Parameters Name In Combination Not Unique (v3)", "severity": "INFO", - "line": 37, - "filename": "positive1.json" + "line": 18, + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.limitParam.name", + "searchValue": "", + "expectedValue": "Parameter has unique 'name' and 'in' combinations", + "actualValue": "Parameter does not have unique 'name' and 'in' combinations", + "issueType": "IncorrectValue" }, { "queryName": "Parameters Name In Combination Not Unique (v3)", "severity": "INFO", "line": 25, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.otherParam.name", + "searchValue": "", + "expectedValue": "Parameter has unique 'name' and 'in' combinations", + "actualValue": "Parameter does not have unique 'name' and 'in' combinations", + "issueType": "IncorrectValue" }, { "queryName": "Parameters Name In Combination Not Unique (v2)", "severity": "INFO", "line": 21, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name", + "searchValue": "", + "expectedValue": "Parameter has unique 'name' and 'in' combinations", + "actualValue": "Parameter does not have unique 'name' and 'in' combinations", + "issueType": "IncorrectValue" }, { "queryName": "Parameters Name In Combination Not Unique (v2)", "severity": "INFO", "line": 14, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name", + "searchValue": "", + "expectedValue": "Parameter has unique 'name' and 'in' combinations", + "actualValue": "Parameter does not have unique 'name' and 'in' combinations", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/path_ambiguous/test/positive_expected_result.json b/assets/queries/openAPI/general/path_ambiguous/test/positive_expected_result.json index 3b35fce7422..8fe02567fad 100644 --- a/assets/queries/openAPI/general/path_ambiguous/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_ambiguous/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Path Is Ambiguous (v3)", "severity": "INFO", "line": 6, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue" }, { "queryName": "Path Is Ambiguous (v3)", "severity": "INFO", "line": 19, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{ids}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue" }, { "queryName": "Path Is Ambiguous (v3)", "severity": "INFO", "line": 8, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue" }, { "queryName": "Path Is Ambiguous (v3)", "severity": "INFO", "line": 29, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{ids}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue" }, { "queryName": "Path Is Ambiguous (v2)", "severity": "INFO", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue" }, { "queryName": "Path Is Ambiguous (v2)", "severity": "INFO", "line": 21, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{ids}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue" }, { "queryName": "Path Is Ambiguous (v2)", "severity": "INFO", "line": 13, - "filename": "positive4.json" + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue" }, { "queryName": "Path Is Ambiguous (v2)", "severity": "INFO", "line": 31, - "filename": "positive4.json" + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{ids}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json b/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json index 624a401ce69..c51f895e0d0 100644 --- a/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json @@ -3,60 +3,130 @@ "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", "line": 43, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "IncorrectValue" }, { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "IncorrectValue" }, { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", "line": 43, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "MissingAttribute" }, { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", "line": 26, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "MissingAttribute" }, { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", "line": 10, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "IncorrectValue" }, { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", - "line": 8, - "filename": "positive6.yaml" + "line": 19, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.name={{nameAPI}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "MissingAttribute" }, { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", - "line": 19, - "filename": "positive5.json" + "line": 8, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "IncorrectValue" }, { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", "line": 15, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.name={{nameAPI}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "MissingAttribute" }, { "queryName": "Path Parameter Not Required (v2)", "severity": "INFO", "line": 20, - "filename": "positive7.json" + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "MissingAttribute" }, { "queryName": "Path Parameter Not Required (v2)", "severity": "INFO", "line": 14, - "filename": "positive8.yaml" + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/test/positive_expected_result.json b/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/test/positive_expected_result.json index f7549912a32..e4dcab5a98d 100644 --- a/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Path Parameter With No Corresponding Template Path (v3)", "severity": "INFO", "line": 37, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./yada/foo.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter 'id' should have an template path parameter with the same name and 'in' set to 'path'", + "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue" }, { "queryName": "Path Parameter With No Corresponding Template Path (v3)", "severity": "INFO", "line": 59, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter 'id' should have an template path parameter with the same name and 'in' set to 'path'", + "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue" }, { "queryName": "Path Parameter With No Corresponding Template Path (v2)", "severity": "INFO", "line": 32, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./people/foo.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter 'id' should have an template path parameter with the same name and 'in' set to 'path'", + "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue" }, { "queryName": "Path Parameter With No Corresponding Template Path (v2)", "severity": "INFO", "line": 51, - "filename": "positive4.json" + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./people/foo.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter 'id' should have an template path parameter with the same name and 'in' set to 'path'", + "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/path_template_empty/test/positive_expected_result.json b/assets/queries/openAPI/general/path_template_empty/test/positive_expected_result.json index 020d02d1f96..573791e2960 100644 --- a/assets/queries/openAPI/general/path_template_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_template_empty/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Path Template is Empty (v3)", "severity": "INFO", "line": 32, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{}", + "searchValue": "", + "expectedValue": "The path template should not be empty", + "actualValue": "The path template is empty", + "issueType": "MissingAttribute" }, { "queryName": "Path Template is Empty (v3)", "severity": "INFO", "line": 53, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{}", + "searchValue": "", + "expectedValue": "The path template should not be empty", + "actualValue": "The path template is empty", + "issueType": "MissingAttribute" }, { "queryName": "Path Template is Empty (v2)", "severity": "INFO", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{}", + "searchValue": "", + "expectedValue": "The path template should not be empty", + "actualValue": "The path template is empty", + "issueType": "MissingAttribute" }, { "queryName": "Path Template is Empty (v2)", "severity": "INFO", "line": 13, - "filename": "positive4.json" + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{}", + "searchValue": "", + "expectedValue": "The path template should not be empty", + "actualValue": "The path template is empty", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/general/path_without_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/path_without_operation/test/positive_expected_result.json index a2b1f1bb729..9c3d9bd0c24 100644 --- a/assets/queries/openAPI/general/path_without_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_without_operation/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Path Without Operation (v3)", "severity": "INFO", "line": 8, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}", + "searchValue": "", + "expectedValue": "paths.{{/}} has at least one operation object defined", + "actualValue": "paths.{{/}} does not have at least one operation object defined", + "issueType": "MissingAttribute" }, { "queryName": "Path Without Operation (v3)", "severity": "INFO", "line": 6, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}", + "searchValue": "", + "expectedValue": "paths.{{/}} has at least one operation object defined", + "actualValue": "paths.{{/}} does not have at least one operation object defined", + "issueType": "MissingAttribute" }, { "queryName": "Path Without Operation (v2)", "severity": "INFO", "line": 8, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}", + "searchValue": "", + "expectedValue": "paths.{{/}} has at least one operation object defined", + "actualValue": "paths.{{/}} does not have at least one operation object defined", + "issueType": "MissingAttribute" }, { "queryName": "Path Without Operation (v2)", "severity": "INFO", "line": 6, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}", + "searchValue": "", + "expectedValue": "paths.{{/}} has at least one operation object defined", + "actualValue": "paths.{{/}} does not have at least one operation object defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/general/paths_object_empty/test/positive_expected_result.json b/assets/queries/openAPI/general/paths_object_empty/test/positive_expected_result.json index 1e448ad9fca..95f1627bcfd 100644 --- a/assets/queries/openAPI/general/paths_object_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/paths_object_empty/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Paths Object is Empty (v3)", "severity": "INFO", "line": 7, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths", + "searchValue": "", + "expectedValue": "The Paths Object should should not be empty", + "actualValue": "The Paths Object is empty", + "issueType": "IncorrectValue" }, { "queryName": "Paths Object is Empty (v2)", "severity": "INFO", "line": 7, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths", + "searchValue": "", + "expectedValue": "The Paths Object should should not be empty", + "actualValue": "The Paths Object is empty", + "issueType": "IncorrectValue" }, { "queryName": "Paths Object is Empty (v3)", "severity": "INFO", "line": 5, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths", + "searchValue": "", + "expectedValue": "The Paths Object should should not be empty", + "actualValue": "The Paths Object is empty", + "issueType": "IncorrectValue" }, { "queryName": "Paths Object is Empty (v2)", "severity": "INFO", "line": 5, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths", + "searchValue": "", + "expectedValue": "The Paths Object should should not be empty", + "actualValue": "The Paths Object is empty", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json index 7ac7f3a8171..fb1c467438a 100644 --- a/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json @@ -2,97 +2,209 @@ { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", - "line": 63, - "filename": "positive1.json" + "line": 58, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", - "line": 58, - "filename": "positive1.json" + "line": 63, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", "line": 79, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", "line": 79, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", "line": 27, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", "line": 32, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", "line": 34, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", "line": 38, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", "line": 49, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", "line": 49, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", "line": 22, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", "line": 26, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v2)", "severity": "MEDIUM", "line": 23, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v2)", "severity": "MEDIUM", "line": 28, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v2)", "severity": "MEDIUM", "line": 19, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pattern Undefined (v2)", "severity": "MEDIUM", "line": 23, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/general/properties_missing_required_property/test/positive_expected_result.json b/assets/queries/openAPI/general/properties_missing_required_property/test/positive_expected_result.json index 0c00d106449..128384b6869 100644 --- a/assets/queries/openAPI/general/properties_missing_required_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/properties_missing_required_property/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Properties Missing Required Property (v3)", "severity": "INFO", "line": 56, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name", + "searchValue": "", + "expectedValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name should be defined", + "actualValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name is missing", + "issueType": "MissingAttribute" }, { "queryName": "Properties Missing Required Property (v3)", "severity": "INFO", "line": 38, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name", + "searchValue": "", + "expectedValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name should be defined", + "actualValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name is missing", + "issueType": "MissingAttribute" }, { "queryName": "Properties Missing Required Property (v3)", "severity": "INFO", "line": 54, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.properties.code.required.name", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.schema.properties.code.required.name should be defined", + "actualValue": "paths.{{/}}.parameters.schema.properties.code.required.name is missing", + "issueType": "MissingAttribute" }, { "queryName": "Properties Missing Required Property (v3)", "severity": "INFO", "line": 37, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.properties.code.required.name", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.schema.properties.code.required.name should be defined", + "actualValue": "paths.{{/}}.parameters.schema.properties.code.required.name is missing", + "issueType": "MissingAttribute" }, { "queryName": "Properties Missing Required Property (v2)", "severity": "INFO", "line": 27, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.MyObject.properties.code.required.name", + "searchValue": "", + "expectedValue": "definitions.MyObject.properties.code.required.name should be defined", + "actualValue": "definitions.MyObject.properties.code.required.name is missing", + "issueType": "MissingAttribute" }, { "queryName": "Properties Missing Required Property (v2)", "severity": "INFO", "line": 20, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.MyObject.properties.code.required.name", + "searchValue": "", + "expectedValue": "definitions.MyObject.properties.code.required.name should be defined", + "actualValue": "definitions.MyObject.properties.code.required.name is missing", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/test/positive_expected_result.json b/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/test/positive_expected_result.json index 9bd4bcc59f3..24ded796175 100644 --- a/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/test/positive_expected_result.json @@ -2,49 +2,105 @@ { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", - "line": 59, - "filename": "positive1.json" + "line": 43, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", - "line": 43, - "filename": "positive1.json" + "line": 59, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", "line": 37, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", "line": 43, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", "line": 26, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v2)", "severity": "INFO", "line": 20, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{metadata}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue" }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v2)", "severity": "INFO", "line": 15, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{metadata}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json b/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json index 5b419b8ba0f..7d812b7d47a 100644 --- a/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json @@ -3,60 +3,130 @@ "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", "line": 52, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code", + "searchValue": "", + "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'", + "issueType": "IncorrectValue" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", "line": 71, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'", + "issueType": "IncorrectValue" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", "line": 24, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code", + "searchValue": "", + "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'", + "issueType": "IncorrectValue" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", "line": 33, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code", + "searchValue": "", + "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'", + "issueType": "IncorrectValue" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", "line": 47, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'", + "issueType": "IncorrectValue" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", "line": 21, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code", + "searchValue": "", + "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'", + "issueType": "IncorrectValue" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", "line": 33, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code", + "searchValue": "", + "expectedValue": "String schema value should not have 'minLength' larger than 'maxLength'", + "actualValue": "String schema value has 'minLength' larger than 'maxLength'", + "issueType": "IncorrectValue" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", "line": 50, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "String schema value should not have 'minLength' larger than 'maxLength'", + "actualValue": "String schema value has 'minLength' larger than 'maxLength'", + "issueType": "IncorrectValue" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", "line": 32, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.message", + "searchValue": "", + "expectedValue": "Array schema value should not have 'minItems' larger than 'maxItems'", + "actualValue": "Array schema value has 'minItems' larger than 'maxItems'", + "issueType": "IncorrectValue" }, { "queryName": "Property Defining Minimum Greater Than Maximum (v2)", "severity": "INFO", "line": 25, - "filename": "positive7.json" + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.GeneralError.properties.code", + "searchValue": "", + "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json b/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json index 8eca405487b..42a98e9ad28 100644 --- a/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json @@ -2,49 +2,105 @@ { "queryName": "Required Property With Default Value (v3)", "severity": "INFO", - "line": 30, - "filename": "positive1.json" + "line": 14, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue" }, { "queryName": "Required Property With Default Value (v3)", "severity": "INFO", - "line": 14, - "filename": "positive1.json" + "line": 30, + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.{{id}}.default", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue" }, { "queryName": "Required Property With Default Value (v3)", "severity": "INFO", "line": 25, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.{{id}}.default", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue" }, { "queryName": "Required Property With Default Value (v3)", "severity": "INFO", "line": 12, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue" }, { "queryName": "Required Property With Default Value (v3)", "severity": "INFO", "line": 22, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.{{id}}.default", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue" }, { "queryName": "Required Property With Default Value (v3)", "severity": "INFO", "line": 23, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.{{id}}.default", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue" }, { "queryName": "Required Property With Default Value (v2)", "severity": "INFO", "line": 23, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.post.parameters.schema.properties.{{id}}.default", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue" }, { "queryName": "Required Property With Default Value (v2)", "severity": "INFO", "line": 19, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.post.parameters.schema.properties.{{id}}.default", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json b/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json index fff2d20fb17..d47a904f382 100644 --- a/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json @@ -3,156 +3,338 @@ "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "415 response", + "expectedValue": "415 response should be set", + "actualValue": "415 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "404 response", + "expectedValue": "404 response should be set", + "actualValue": "404 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 21, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "200 response", + "expectedValue": "200 response should be set", + "actualValue": "200 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 21, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 21, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 21, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 12, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "401 response", + "expectedValue": "401 response should be set when security field is defined", + "actualValue": "401 response is undefined when security field is defined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 12, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "403 response", + "expectedValue": "403 response should be set when security field is defined", + "actualValue": "403 response is undefined when security field is defined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "404 response", + "expectedValue": "404 response should be set", + "actualValue": "404 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "415 response", + "expectedValue": "415 response should be set", + "actualValue": "415 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 16, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 16, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "200 response", + "expectedValue": "200 response should be set", + "actualValue": "200 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 16, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 16, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 10, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "403 response", + "expectedValue": "403 response should be set when security field is defined", + "actualValue": "403 response is undefined when security field is defined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 10, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "401 response", + "expectedValue": "401 response should be set when security field is defined", + "actualValue": "401 response is undefined when security field is defined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v2)", "severity": "LOW", "line": 12, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "401 response", + "expectedValue": "401 response should be set when security field is defined", + "actualValue": "401 response is undefined when security field is defined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v2)", "severity": "LOW", "line": 12, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "403 response", + "expectedValue": "403 response should be set when security field is defined", + "actualValue": "403 response is undefined when security field is defined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v2)", "severity": "LOW", "line": 10, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "401 response", + "expectedValue": "401 response should be set when security field is defined", + "actualValue": "401 response is undefined when security field is defined", + "issueType": "MissingAttribute" }, { "queryName": "Response Code Missing (v2)", "severity": "LOW", "line": 10, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "403 response", + "expectedValue": "403 response should be set when security field is defined", + "actualValue": "403 response is undefined when security field is defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json b/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json index a5b288523c3..3feaf1a564a 100644 --- a/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Response on operations that should not have a body has declared content (v3)", "severity": "LOW", "line": 29, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{delete}}.responses.{{204}}.content", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{delete}}.responses.{{204}}.content should not be defined", + "actualValue": "paths.{{/}}.{{delete}}.responses.{{204}}.content is defined", + "issueType": "IncorrectValue" }, { "queryName": "Response on operations that should not have a body has declared content (v3)", "severity": "LOW", "line": 20, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.responses.{{200}}.content", + "searchValue": "", + "expectedValue": "paths.{{/}}.responses.{{200}}.content should not be defined", + "actualValue": "paths.{{/}}.responses.{{200}}.content is defined", + "issueType": "IncorrectValue" }, { "queryName": "Response on operations that should not have a body has declared content (v3)", "severity": "LOW", "line": 23, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{delete}}.responses.{{204}}.content", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{delete}}.responses.{{204}}.content should not be defined", + "actualValue": "paths.{{/}}.{{delete}}.responses.{{204}}.content is defined", + "issueType": "IncorrectValue" }, { "queryName": "Response on operations that should not have a body has declared content (v3)", "severity": "LOW", "line": 17, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.responses.{{200}}.content", + "searchValue": "", + "expectedValue": "paths.{{/}}.responses.{{200}}.content should not be defined", + "actualValue": "paths.{{/}}.responses.{{200}}.content is defined", + "issueType": "IncorrectValue" }, { "queryName": "Response on operations that should not have a body has declared content (v2)", "severity": "LOW", "line": 13, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.responses.{{200}}.schema", + "searchValue": "", + "expectedValue": "paths.{{/}}.responses.{{200}}.schema should not be defined", + "actualValue": "paths.{{/}}.responses.{{200}}.schema is defined", + "issueType": "IncorrectValue" }, { "queryName": "Response on operations that should not have a body has declared content (v2)", "severity": "LOW", "line": 15, - "filename": "positive6.json" + "filename": "positive6.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.responses.{{200}}.schema", + "searchValue": "", + "expectedValue": "paths.{{/}}.responses.{{200}}.schema should not be defined", + "actualValue": "paths.{{/}}.responses.{{200}}.schema is defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/response_operations_body_schema_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/response_operations_body_schema_undefined/test/positive_expected_result.json index 8f1c35ed02e..d38430d0265 100644 --- a/assets/queries/openAPI/general/response_operations_body_schema_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/response_operations_body_schema_undefined/test/positive_expected_result.json @@ -3,72 +3,156 @@ "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 18, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./.get.responses.200", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content should be defined", + "actualValue": "paths./.get.responses.200.content is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Response on operations that should have a body has undefined schema (v2)", + "severity": "MEDIUM", + "line": 15, + "filename": "positive10.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./.get.responses.200", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.schema should be defined", + "actualValue": "paths./.get.responses.200.schema is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 21, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should be defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 21, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}.schema should be defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}.schema is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 22, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should be defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 20, - "filename": "positive4.json" + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content should have at least one content-type defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content has no content-type defined", + "issueType": "MissingAttribute" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 15, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./.get.responses.200", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content should be defined", + "actualValue": "paths./.get.responses.200.content is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 18, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should be defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 18, - "filename": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}.schema should be defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}.schema is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 19, - "filename": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should be defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 17, - "filename": "positive8.yaml" + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content should have at least one content-type defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content has no content-type defined", + "issueType": "MissingAttribute" }, { "queryName": "Response on operations that should have a body has undefined schema (v2)", "severity": "MEDIUM", "line": 18, - "filename": "positive9.json" - }, - { - "queryName": "Response on operations that should have a body has undefined schema (v2)", - "severity": "MEDIUM", - "line": 15, - "filename": "positive10.yaml" + "filename": "positive9.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./.get.responses.200", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.schema should be defined", + "actualValue": "paths./.get.responses.200.schema is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/general/responses_object_is_empty/test/positive_expected_result.json b/assets/queries/openAPI/general/responses_object_is_empty/test/positive_expected_result.json index bdae2a7033f..25f16bbd753 100644 --- a/assets/queries/openAPI/general/responses_object_is_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/responses_object_is_empty/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Responses Object Is Empty (v3)", "severity": "INFO", "line": 12, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses", + "searchValue": "", + "expectedValue": "'responses' should not be empty", + "actualValue": "'responses' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Responses Object Is Empty (v3)", "severity": "INFO", "line": 21, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses", + "searchValue": "", + "expectedValue": "'responses' should not be empty", + "actualValue": "'responses' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Responses Object Is Empty (v3)", "severity": "INFO", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses", + "searchValue": "", + "expectedValue": "'responses' should not be empty", + "actualValue": "'responses' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Responses Object Is Empty (v3)", "severity": "INFO", "line": 14, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses", + "searchValue": "", + "expectedValue": "'responses' should not be empty", + "actualValue": "'responses' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Responses Object Is Empty (v2)", "severity": "INFO", "line": 12, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses", + "searchValue": "", + "expectedValue": "'responses' should not be empty", + "actualValue": "'responses' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Responses Object Is Empty (v2)", "severity": "INFO", "line": 10, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses", + "searchValue": "", + "expectedValue": "'responses' should not be empty", + "actualValue": "'responses' is empty", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/responses_wrong_http_status_code/test/positive_expected_result.json b/assets/queries/openAPI/general/responses_wrong_http_status_code/test/positive_expected_result.json index e80d64f6c04..c8891f27ae2 100644 --- a/assets/queries/openAPI/general/responses_wrong_http_status_code/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/responses_wrong_http_status_code/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Responses With Wrong HTTP Status Code (v3)", "severity": "INFO", "line": 13, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{50}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue" }, { "queryName": "Responses With Wrong HTTP Status Code (v3)", "severity": "INFO", "line": 39, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue" }, { "queryName": "Responses With Wrong HTTP Status Code (v3)", "severity": "INFO", "line": 11, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{50}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue" }, { "queryName": "Responses With Wrong HTTP Status Code (v3)", "severity": "INFO", "line": 25, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue" }, { "queryName": "Responses With Wrong HTTP Status Code (v2)", "severity": "INFO", "line": 13, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{50}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue" }, { "queryName": "Responses With Wrong HTTP Status Code (v2)", "severity": "INFO", "line": 39, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue" }, { "queryName": "Responses With Wrong HTTP Status Code (v2)", "severity": "INFO", "line": 11, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{50}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue" }, { "queryName": "Responses With Wrong HTTP Status Code (v2)", "severity": "INFO", "line": 25, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/test/positive_expected_result.json index 9a7428a8c86..0959a336abd 100644 --- a/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", "severity": "INFO", "line": 53, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set in 'properties'", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set in 'properties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", "severity": "INFO", "line": 25, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) should be set in 'properties'", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set in 'properties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", "severity": "INFO", "line": 32, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set in 'properties'", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set in 'properties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", "severity": "INFO", "line": 18, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) should be set in 'properties'", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set in 'properties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", "severity": "INFO", "line": 28, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchValue": "", + "expectedValue": "definitions.{{GeneralError}}.discriminator should be set in 'properties'", + "actualValue": "definitions.{{GeneralError}}.discriminator is not set in 'properties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", "severity": "INFO", "line": 16, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchValue": "", + "expectedValue": "definitions.{{GeneralError}}.discriminator should be set in 'properties'", + "actualValue": "definitions.{{GeneralError}}.discriminator is not set in 'properties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", "severity": "INFO", "line": 25, - "filename": "positive7.json" + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set in 'properties'", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set in 'properties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", "severity": "INFO", "line": 15, - "filename": "positive8.yaml" + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set in 'properties'", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set in 'properties'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/schema_discriminator_not_required/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_discriminator_not_required/test/positive_expected_result.json index f486155aa9a..8c01cede84b 100644 --- a/assets/queries/openAPI/general/schema_discriminator_not_required/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_discriminator_not_required/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Schema Discriminator Not Required (v3)", "severity": "INFO", "line": 53, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is a required property", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not a required property", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Not Required (v3)", "severity": "INFO", "line": 25, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is a required property", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not a required property", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Not Required (v3)", "severity": "INFO", "line": 32, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is a required property", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not a required property", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Not Required (v3)", "severity": "INFO", "line": 18, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is a required property", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not a required property", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Not Required (v2)", "severity": "INFO", "line": 35, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchValue": "", + "expectedValue": "definitions.{{GeneralError}}.discriminator is a required property", + "actualValue": "definitions.{{GeneralError}}.discriminator is not a required property", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Not Required (v2)", "severity": "INFO", "line": 16, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchValue": "", + "expectedValue": "definitions.{{GeneralError}}.discriminator is a required property", + "actualValue": "definitions.{{GeneralError}}.discriminator is not a required property", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Not Required (v2)", "severity": "INFO", "line": 16, - "filename": "positive7.json" + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is a required property", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not a required property", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Not Required (v2)", "severity": "INFO", "line": 15, - "filename": "positive8.yaml" + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is a required property", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not a required property", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/schema_discriminator_property_not_string/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_discriminator_property_not_string/test/positive_expected_result.json index c74b919f275..8cd08255472 100644 --- a/assets/queries/openAPI/general/schema_discriminator_property_not_string/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_discriminator_property_not_string/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Schema Discriminator Property Not String (v3)", "severity": "INFO", "line": 53, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set to string", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set to string", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Property Not String (v3)", "severity": "INFO", "line": 25, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) should be set to string", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set to string", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Property Not String (v3)", "severity": "INFO", "line": 32, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set to string", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set to string", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Property Not String (v3)", "severity": "INFO", "line": 18, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) should be set to string", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set to string", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Property Not String (v2)", "severity": "INFO", "line": 28, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchValue": "", + "expectedValue": "definitions.{{GeneralError}}.discriminator should be set to string", + "actualValue": "definitions.{{GeneralError}}.discriminator is not set to string", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Property Not String (v2)", "severity": "INFO", "line": 16, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchValue": "", + "expectedValue": "definitions.{{GeneralError}}.discriminator should be set to string", + "actualValue": "definitions.{{GeneralError}}.discriminator is not set to string", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Property Not String (v2)", "severity": "INFO", "line": 22, - "filename": "positive7.json" + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set to string", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set to string", + "issueType": "IncorrectValue" }, { "queryName": "Schema Discriminator Property Not String (v2)", "severity": "INFO", "line": 15, - "filename": "positive8.yaml" + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set to string", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set to string", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json index 4a384929bae..db68a4606bd 100644 --- a/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Schema Enum Invalid (v3)", "severity": "INFO", "line": 20, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{text/html}}.schema.enum", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue" }, { "queryName": "Schema Enum Invalid (v3)", "severity": "INFO", "line": 20, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{text/html}}.schema.enum", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue" }, { "queryName": "Schema Enum Invalid (v3)", "severity": "INFO", "line": 18, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{text/html}}.schema.enum", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue" }, { "queryName": "Schema Enum Invalid (v3)", "severity": "INFO", "line": 18, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{text/html}}.schema.enum", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue" }, { "queryName": "Schema Enum Invalid (v2)", "severity": "INFO", - "line": 50, - "filename": "positive5.json" + "line": 14, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue" }, { "queryName": "Schema Enum Invalid (v2)", "severity": "INFO", - "line": 35, - "filename": "positive6.yaml" + "line": 50, + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.User.properties.name.enum", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue" }, { "queryName": "Schema Enum Invalid (v2)", "severity": "INFO", - "line": 14, - "filename": "positive5.json" + "line": 12, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue" }, { "queryName": "Schema Enum Invalid (v2)", "severity": "INFO", - "line": 12, - "filename": "positive6.yaml" + "line": 35, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.User.properties.name.enum", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/schema_object_empty/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_object_empty/test/positive_expected_result.json index 28f8a049e58..c95197fd5d9 100644 --- a/assets/queries/openAPI/general/schema_object_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_object_empty/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Schema Object is Empty (v3)", "severity": "MEDIUM", "line": 50, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object is Empty (v3)", "severity": "MEDIUM", "line": 22, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object is Empty (v3)", "severity": "MEDIUM", "line": 27, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object is Empty (v3)", "severity": "MEDIUM", "line": 15, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object is Empty (v2)", "severity": "MEDIUM", "line": 20, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object is Empty (v2)", "severity": "MEDIUM", - "line": 26, - "filename": "positive7.json" + "line": 13, + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object is Empty (v2)", "severity": "MEDIUM", - "line": 13, - "filename": "positive6.yaml" + "line": 26, + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object is Empty (v2)", "severity": "MEDIUM", "line": 14, - "filename": "positive8.yaml" + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/test/positive_expected_result.json index b651764ca9b..d1a40736b51 100644 --- a/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/test/positive_expected_result.json @@ -3,108 +3,234 @@ "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 19, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ErrorModel.code", + "searchValue": "", + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 38, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ErrorModel.allOf.code", + "searchValue": "", + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 53, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ErrorModel.additionalProperties.code", + "searchValue": "", + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 16, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ErrorModel.code", + "searchValue": "", + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 28, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ErrorModel.allOf.code", + "searchValue": "", + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 37, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ErrorModel.additionalProperties.code", + "searchValue": "", + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 28, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 44, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.allOf.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 57, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 24, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 34, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.allOf.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 41, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", "line": 28, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", "line": 44, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.allOf.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", "line": 57, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", "line": 24, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", "line": 34, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.allOf.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", "line": 41, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/schema_object_with_circular_ref/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_object_with_circular_ref/test/positive_expected_result.json index 483a7ba23c6..b674915c724 100644 --- a/assets/queries/openAPI/general/schema_object_with_circular_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_object_with_circular_ref/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Schema Object With Circular Ref (v3)", "severity": "INFO", "line": 70, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ExtendedErrorModel.allOf.$ref=#/components/schemas/ExtendedErrorModel", + "searchValue": "", + "expectedValue": "components.schemas.ExtendedErrorModel.allOf should not reference own schema", + "actualValue": "components.schemas.ExtendedErrorModel.allOf reference own schema", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object With Circular Ref (v2)", "severity": "INFO", "line": 46, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.ExtendedErrorModel.allOf.$ref=#/definitions/ExtendedErrorModel", + "searchValue": "", + "expectedValue": "definitions.ExtendedErrorModel.allOf should not reference own schema", + "actualValue": "definitions.ExtendedErrorModel.allOf reference own schema", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object With Circular Ref (v3)", "severity": "INFO", "line": 45, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ExtendedErrorModel.allOf.$ref=#/components/schemas/ExtendedErrorModel", + "searchValue": "", + "expectedValue": "components.schemas.ExtendedErrorModel.allOf should not reference own schema", + "actualValue": "components.schemas.ExtendedErrorModel.allOf reference own schema", + "issueType": "IncorrectValue" }, { "queryName": "Schema Object With Circular Ref (v2)", "severity": "INFO", "line": 32, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.ExtendedErrorModel.allOf.$ref=#/definitions/ExtendedErrorModel", + "searchValue": "", + "expectedValue": "definitions.ExtendedErrorModel.allOf should not reference own schema", + "actualValue": "definitions.ExtendedErrorModel.allOf reference own schema", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/schema_required_property_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_required_property_undefined/test/positive_expected_result.json index b7d43de1e87..b65c2af41aa 100644 --- a/assets/queries/openAPI/general/schema_required_property_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_required_property_undefined/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Schema Has A Required Property Undefined (v3)", "severity": "INFO", "line": 50, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.GeneralError.schema", + "searchValue": "", + "expectedValue": "Schema should have all required properties defined", + "actualValue": "Schema has required properties that are not defined", + "issueType": "MissingAttribute" }, { "queryName": "Schema Has A Required Property Undefined (v3)", "severity": "INFO", "line": 22, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "Schema should have all required properties defined", + "actualValue": "Schema has required properties that are not defined", + "issueType": "MissingAttribute" }, { "queryName": "Schema Has A Required Property Undefined (v3)", "severity": "INFO", "line": 31, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.GeneralError.schema", + "searchValue": "", + "expectedValue": "Schema should have all required properties defined", + "actualValue": "Schema has required properties that are not defined", + "issueType": "MissingAttribute" }, { "queryName": "Schema Has A Required Property Undefined (v3)", "severity": "INFO", "line": 19, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "Schema should have all required properties defined", + "actualValue": "Schema has required properties that are not defined", + "issueType": "MissingAttribute" }, { "queryName": "Schema Has A Required Property Undefined (v2)", "severity": "INFO", "line": 20, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "Schema should have all required properties defined", + "actualValue": "Schema has required properties that are not defined", + "issueType": "MissingAttribute" }, { "queryName": "Schema Has A Required Property Undefined (v2)", "severity": "INFO", "line": 17, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "Schema should have all required properties defined", + "actualValue": "Schema has required properties that are not defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/general/security_empty_array/test/positive_expected_result.json b/assets/queries/openAPI/general/security_empty_array/test/positive_expected_result.json index 19bea1c594e..6c0e45fd913 100644 --- a/assets/queries/openAPI/general/security_empty_array/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/security_empty_array/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Global Security Field Has An Empty Array (v3)", "severity": "HIGH", "line": 43, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "A default security schema should be defined", + "actualValue": "A default security schema is not defined", + "issueType": "IncorrectValue" }, { "queryName": "Global Security Field Has An Empty Array (v3)", "severity": "HIGH", "line": 25, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "A default security schema should be defined", + "actualValue": "A default security schema is not defined", + "issueType": "IncorrectValue" }, { "queryName": "Global Security Field Has An Empty Array (v2)", "severity": "HIGH", - "line": 60, - "filename": "positive4.json" + "line": 38, + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "A default security schema should be defined", + "actualValue": "A default security schema is not defined", + "issueType": "IncorrectValue" }, { "queryName": "Global Security Field Has An Empty Array (v2)", "severity": "HIGH", - "line": 38, - "filename": "positive3.yaml" + "line": 60, + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "A default security schema should be defined", + "actualValue": "A default security schema is not defined", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/security_empty_object_definition/test/positive_expected_result.json b/assets/queries/openAPI/general/security_empty_object_definition/test/positive_expected_result.json index 62c6149c85d..75cf91b30e5 100644 --- a/assets/queries/openAPI/general/security_empty_object_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/security_empty_object_definition/test/positive_expected_result.json @@ -3,72 +3,156 @@ "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", "line": 43, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" }, { - "queryName": "Global security field has an empty object (v3)", + "queryName": "Global security field has an empty object (v2)", "severity": "HIGH", - "line": 43, - "filename": "positive2.json" + "line": 60, + "filename": "positive10.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" }, { - "queryName": "Global security field has an empty object (v3)", + "queryName": "Global security field has an empty object (v2)", "severity": "HIGH", - "line": 43, - "filename": "positive3.json" + "line": 38, + "filename": "positive11.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" + }, + { + "queryName": "Global security field has an empty object (v2)", + "severity": "HIGH", + "line": 60, + "filename": "positive12.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", "line": 43, - "filename": "positive4.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", - "line": 25, - "filename": "positive5.yaml" + "line": 43, + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", - "line": 25, - "filename": "positive6.yaml" + "line": 43, + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", "line": 25, - "filename": "positive7.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", "line": 25, - "filename": "positive8.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" }, { - "queryName": "Global security field has an empty object (v2)", + "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", - "line": 38, - "filename": "positive9.yaml" + "line": 25, + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" }, { - "queryName": "Global security field has an empty object (v2)", + "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", - "line": 60, - "filename": "positive10.json" + "line": 25, + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Global security field has an empty object (v2)", "severity": "HIGH", "line": 38, - "filename": "positive11.yaml" - }, - { - "queryName": "Global security field has an empty object (v2)", - "severity": "HIGH", - "line": 60, - "filename": "positive12.json" + "filename": "positive9.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/security_operations_empty_array/test/positive_expected_result.json b/assets/queries/openAPI/general/security_operations_empty_array/test/positive_expected_result.json index 962ab661032..18678ebd0f4 100644 --- a/assets/queries/openAPI/general/security_operations_empty_array/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/security_operations_empty_array/test/positive_expected_result.json @@ -3,60 +3,130 @@ "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", "line": 12, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue" + }, + { + "queryName": "Security Field On Operations Has An Empty Array (v2)", + "severity": "HIGH", + "line": 17, + "filename": "positive10.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", "line": 51, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", "line": 51, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", "line": 53, - "filename": "positive4.json" + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/apis}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", "line": 10, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", "line": 31, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", "line": 31, - "filename": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", "line": 32, - "filename": "positive8.yaml" - }, - { - "queryName": "Security Field On Operations Has An Empty Array (v2)", - "severity": "HIGH", - "line": 17, - "filename": "positive10.json" + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/apis}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Array (v2)", "severity": "HIGH", "line": 14, - "filename": "positive9.yaml" + "filename": "positive9.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/security_operations_empty_object_definition/test/positive_expected_result.json b/assets/queries/openAPI/general/security_operations_empty_object_definition/test/positive_expected_result.json index c63557f7866..0a5f5ea85c0 100644 --- a/assets/queries/openAPI/general/security_operations_empty_object_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/security_operations_empty_object_definition/test/positive_expected_result.json @@ -3,60 +3,130 @@ "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", "line": 12, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field should not be empty object", + "actualValue": "Security operation field is an empty object", + "issueType": "IncorrectValue" + }, + { + "queryName": "Security Field On Operations Has An Empty Object Definition (v2)", + "severity": "HIGH", + "line": 17, + "filename": "positive10.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field should not be empty object", + "actualValue": "Security operation field is an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", "line": 51, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array should not have an empty object", + "actualValue": "Security operation field array has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", "line": 44, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array should not have an empty object", + "actualValue": "Security operation field array has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", "line": 53, - "filename": "positive4.json" + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/apis}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field should not be empty object", + "actualValue": "Security operation field is an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", "line": 10, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field should not be empty object", + "actualValue": "Security operation field is an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", "line": 31, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array should not have an empty object", + "actualValue": "Security operation field array has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", "line": 28, - "filename": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array should not have an empty object", + "actualValue": "Security operation field array has an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", "line": 32, - "filename": "positive8.yaml" + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/apis}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field should not be empty object", + "actualValue": "Security operation field is an empty object", + "issueType": "IncorrectValue" }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v2)", "severity": "HIGH", "line": 14, - "filename": "positive9.yaml" - }, - { - "queryName": "Security Field On Operations Has An Empty Object Definition (v2)", - "severity": "HIGH", - "line": 17, - "filename": "positive10.json" + "filename": "positive9.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field should not be empty object", + "actualValue": "Security operation field is an empty object", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json b/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json index a74d7ffee20..63464cbd47e 100644 --- a/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "String Schema with Broad Pattern (v3)", "severity": "LOW", "line": 61, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.pattern", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue" }, { "queryName": "String Schema with Broad Pattern (v3)", "severity": "LOW", "line": 81, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue" }, { "queryName": "String Schema with Broad Pattern (v3)", "severity": "LOW", "line": 30, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.pattern", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue" }, { "queryName": "String Schema with Broad Pattern (v3)", "severity": "LOW", "line": 37, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.pattern", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue" }, { "queryName": "String Schema with Broad Pattern (v3)", "severity": "LOW", "line": 51, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue" }, { "queryName": "String Schema with Broad Pattern (v3)", "severity": "LOW", "line": 25, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.pattern", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue" }, { "queryName": "String Schema with Broad Pattern (v2)", "severity": "LOW", - "line": 30, - "filename": "positive6.json" + "line": 26, + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.pattern", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue" }, { "queryName": "String Schema with Broad Pattern (v2)", "severity": "LOW", - "line": 26, - "filename": "positive5.yaml" + "line": 30, + "filename": "positive6.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.pattern", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json index 085eab862bb..2a7df26a10f 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Success Response Code Undefined for Delete Operation (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.delete.responses", + "searchValue": "", + "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Delete does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Delete Operation (v3)", "severity": "LOW", "line": 12, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.delete.responses", + "searchValue": "", + "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Delete does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Delete Operation (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.delete.responses", + "searchValue": "", + "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Delete does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Delete Operation (v3)", "severity": "LOW", "line": 10, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.delete.responses", + "searchValue": "", + "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Delete does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Delete Operation (v2)", "severity": "LOW", "line": 12, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.delete.responses", + "searchValue": "", + "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Delete does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Delete Operation (v2)", "severity": "LOW", "line": 10, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.delete.responses", + "searchValue": "", + "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Delete does not have any successful code", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json index 64cbed3c1b1..4fb28cc82e8 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Success Response Code Undefined for Get Operation (v2)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.get.responses", + "searchValue": "", + "expectedValue": "Get should have at least one successful code (200 or 202)", + "actualValue": "Get does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Get Operation (v2)", "severity": "LOW", "line": 10, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.get.responses", + "searchValue": "", + "expectedValue": "Get should have at least one successful code (200 or 202)", + "actualValue": "Get does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Get Operation (v3)", "severity": "LOW", "line": 12, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.get.responses", + "searchValue": "", + "expectedValue": "Get should have at least one successful code (200 or 202)", + "actualValue": "Get does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Get Operation (v3)", "severity": "LOW", "line": 10, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.get.responses", + "searchValue": "", + "expectedValue": "Get should have at least one successful code (200 or 202)", + "actualValue": "Get does not have any successful code", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json index 1f6c14dc8f6..50c1b74ff20 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Success Response Code Undefined for Head Operation (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.head.responses", + "searchValue": "", + "expectedValue": "Head should have at least one successful code (200 or 202)", + "actualValue": "Head does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Head Operation (v3)", "severity": "LOW", "line": 10, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.head.responses", + "searchValue": "", + "expectedValue": "Head should have at least one successful code (200 or 202)", + "actualValue": "Head does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Head Operation (v2)", "severity": "LOW", "line": 12, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.head.responses", + "searchValue": "", + "expectedValue": "Head should have at least one successful code (200 or 202)", + "actualValue": "Head does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Head Operation (v2)", "severity": "LOW", "line": 10, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.head.responses", + "searchValue": "", + "expectedValue": "Head should have at least one successful code (200 or 202)", + "actualValue": "Head does not have any successful code", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json index 5350ccdf0e7..3ee49a5bd1d 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Success Response Code Undefined for Patch Operation (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.patch.responses", + "searchValue": "", + "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Patch does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Patch Operation (v3)", "severity": "LOW", "line": 24, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.patch.responses", + "searchValue": "", + "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Patch does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Patch Operation (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.patch.responses", + "searchValue": "", + "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Patch does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Patch Operation (v3)", "severity": "LOW", "line": 18, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.patch.responses", + "searchValue": "", + "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Patch does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Patch Operation (v2)", "severity": "LOW", "line": 24, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.patch.responses", + "searchValue": "", + "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Patch does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Patch Operation (v2)", "severity": "LOW", "line": 18, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.patch.responses", + "searchValue": "", + "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Patch does not have any successful code", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json index f5959207758..f4c6f5e3edf 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Success Response Code Undefined for Post Operation (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.post.responses", + "searchValue": "", + "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Post does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Post Operation (v3)", "severity": "LOW", "line": 24, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.post.responses", + "searchValue": "", + "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Post does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Post Operation (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.post.responses", + "searchValue": "", + "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Post does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Post Operation (v3)", "severity": "LOW", "line": 18, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.post.responses", + "searchValue": "", + "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Post does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Post Operation (v2)", "severity": "LOW", "line": 24, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.post.responses", + "searchValue": "", + "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Post does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Post Operation (v2)", "severity": "LOW", "line": 18, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.post.responses", + "searchValue": "", + "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Post does not have any successful code", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json index ba164e0af40..cc3e89c6234 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Success Response Code Undefined for Put Operation (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.put.responses", + "searchValue": "", + "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Put does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Put Operation (v3)", "severity": "LOW", "line": 24, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.put.responses", + "searchValue": "", + "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Put does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Put Operation (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.put.responses", + "searchValue": "", + "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Put does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Put Operation (v3)", "severity": "LOW", "line": 18, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.put.responses", + "searchValue": "", + "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Put does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Put Operation (v2)", "severity": "LOW", "line": 24, - "filename": "positive5.json" + "filename": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.put.responses", + "searchValue": "", + "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Put does not have any successful code", + "issueType": "MissingAttribute" }, { "queryName": "Success Response Code Undefined for Put Operation (v2)", "severity": "LOW", "line": 18, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.put.responses", + "searchValue": "", + "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Put does not have any successful code", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/test/positive_expected_result.json b/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/test/positive_expected_result.json index 1fa501a7423..805ca08a8d9 100644 --- a/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/test/positive_expected_result.json @@ -3,72 +3,156 @@ "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", "line": 10, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{test-id}.get.parameters.name=test-id", + "searchValue": "", + "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", + "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue" }, { "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", "line": 58, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{blabla}.get.parameters.name=id", + "searchValue": "", + "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", + "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue" }, { "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", "line": 34, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./people/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute" }, { "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", "line": 40, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute" }, { "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", "line": 55, - "filename": "positive4.json" + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./people/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute" }, { "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", "line": 65, - "filename": "positive4.json" + "filename": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute" }, { "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", "line": 14, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{test-id}.get.parameters.name=test-id", + "searchValue": "", + "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", + "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue" }, { "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", "line": 38, - "filename": "positive6.json" + "filename": "positive6.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{blabla}.get.parameters.name=id", + "searchValue": "", + "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", + "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue" }, { "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", "line": 25, - "filename": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./people/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute" }, { "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", "line": 31, - "filename": "positive7.yaml" + "filename": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute" }, { "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", "line": 35, - "filename": "positive8.json" + "filename": "positive8.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./people/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute" }, { "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", "line": 45, - "filename": "positive8.json" + "filename": "positive8.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json b/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json index 8050e654697..eced447a997 100644 --- a/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json @@ -3,120 +3,260 @@ "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 18, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 52, - "filename": "positive1.json" + "filename": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.phones.items.pattern", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue" + }, + { + "queryName": "Type Has Invalid Keyword (v2)", + "severity": "INFO", + "line": 17, + "filename": "positive10.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.headers.X-Rate-Limit-Limit.minLength", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword minLength is not valid for type integer", + "issueType": "IncorrectValue" + }, + { + "queryName": "Type Has Invalid Keyword (v3)", + "severity": "INFO", + "line": 14, + "filename": "positive11.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.PointGenre.minimum", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword minimum is not valid for type string", + "issueType": "IncorrectValue" + }, + { + "queryName": "Type Has Invalid Keyword (v3)", + "severity": "INFO", + "line": 15, + "filename": "positive11.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.PointGenre.maximum", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword maximum is not valid for type string", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 18, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword minLength is not valid for type integer", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 42, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.id.minLength", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword minLength is not valid for type integer", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 18, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword required is not valid for type string", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 46, - "filename": "positive3.json" + "filename": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.name.required", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword required is not valid for type string", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 16, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 37, - "filename": "positive4.yaml" + "filename": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.phones.items.pattern", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 16, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword minLength is not valid for type integer", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 29, - "filename": "positive5.yaml" + "filename": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.id.minLength", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword minLength is not valid for type integer", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 16, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 37, - "filename": "positive6.yaml" + "filename": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.phones.items.pattern", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v2)", "severity": "INFO", "line": 41, - "filename": "positive7.json" + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.properties.phones.items.pattern", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v2)", "severity": "INFO", "line": 55, - "filename": "positive7.json" + "filename": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.maximum", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword maximum is not valid for type string", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v2)", "severity": "INFO", "line": 33, - "filename": "positive8.yaml" + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.properties.phones.items.pattern", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v2)", "severity": "INFO", "line": 42, - "filename": "positive8.yaml" + "filename": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.maximum", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword maximum is not valid for type string", + "issueType": "IncorrectValue" }, { "queryName": "Type Has Invalid Keyword (v2)", "severity": "INFO", "line": 19, - "filename": "positive9.json" - }, - { - "queryName": "Type Has Invalid Keyword (v2)", - "severity": "INFO", - "line": 17, - "filename": "positive10.yaml" - }, - { - "queryName": "Type Has Invalid Keyword (v3)", - "severity": "INFO", - "line": 14, - "filename": "positive11.yaml" - }, - { - "queryName": "Type Has Invalid Keyword (v3)", - "severity": "INFO", - "line": 15, - "filename": "positive11.yaml" + "filename": "positive9.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.headers.X-Rate-Limit-Limit.minLength", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword minLength is not valid for type integer", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json index 6618f3802ee..523b1e4a9ce 100644 --- a/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", "severity": "CRITICAL", "line": 44, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "aws:dms:ReplicationInstance", + "resourceName": "test", + "searchKey": "resources[test].properties.publiclyAccessible", + "searchValue": "", + "expectedValue": "Attribute 'publiclyAccessible' is should be set to 'false'", + "actualValue": "Attribute 'publiclyAccessible' is defined to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", "severity": "CRITICAL", "line": 35, - "fileName": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "aws:dms:ReplicationInstance", + "resourceName": "test", + "searchKey": "resources[test].properties", + "searchValue": "", + "expectedValue": "Attribute 'publiclyAccessible' should be defined", + "actualValue": "Attribute 'publiclyAccessible' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json index d93f28a1060..f27170489eb 100644 --- a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "API Gateway Access Logging Disabled", - "severity": "MEDIUM", - "line": 7, - "fileName": "positive.yaml" - } + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 7, + "filename": "positive.yaml", + "resourceType": "aws:apigatewayv2:Stage", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'accessLogSettings' should be defined", + "actualValue": "Attribute 'accessLogSettings' is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json b/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json index 3b55e916d68..7bcd3334254 100644 --- a/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "API Gateway Without SSL Certificate", - "severity": "MEDIUM", - "line": 7, - "fileName": "positive.yaml" - } + { + "queryName": "API Gateway Without SSL Certificate", + "severity": "MEDIUM", + "line": 7, + "filename": "positive.yaml", + "resourceType": "aws:apigatewayv2:Stage", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'clientCertificateId' should be defined", + "actualValue": "Attribute 'clientCertificateId' is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive_expected_result.json index ec989d87754..f31d10a919a 100644 --- a/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "aws:docdb:Cluster", + "resourceName": "aws:docdb/cluster", + "searchKey": "resources[aws:docdb/cluster].properties", + "searchValue": "", + "expectedValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports should be defined", + "actualValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports is undefined", + "issueType": "MissingAttribute" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 18, - "filename": "positive2.yaml" + "filename": "positive2.yaml", + "resourceType": "aws:docdb:Cluster", + "resourceName": "aws:docdb/cluster", + "searchKey": "resources[aws:docdb/cluster].properties.enabledCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports should have all following values: audit, profiler", + "actualValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports has the following missing values: audit, profiler", + "issueType": "IncorrectValue" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 18, - "filename": "positive3.yaml" + "filename": "positive3.yaml", + "resourceType": "aws:docdb:Cluster", + "resourceName": "aws:docdb/cluster", + "searchKey": "resources[aws:docdb/cluster].properties.enabledCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports should have all following values: audit, profiler", + "actualValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports has the following missing values: profiler", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json b/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json index e6fa49800c1..8f47dad463d 100644 --- a/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", "line": 7, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "aws:dynamodb:Table", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'serverSideEncryption' should be defined", + "actualValue": "Attribute 'serverSideEncryption' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", "line": 17, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "aws:dynamodb:Table", + "resourceName": "example", + "searchKey": "resources[example].properties.serverSideEncryption.enabled", + "searchValue": "", + "expectedValue": "Attribute 'enabled' in 'serverSideEncryption' should be set to true", + "actualValue": "Attribute 'enabled' in 'serverSideEncryption' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json index a258509974c..70969733724 100644 --- a/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 7, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "aws:dynamodb:Table", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'pointInTimeRecovery' should be defined", + "actualValue": "Attribute 'pointInTimeRecovery' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 21, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "aws:dynamodb:Table", + "resourceName": "example", + "searchKey": "resources[example].properties.pointInTimeRecovery.enabled", + "searchValue": "", + "expectedValue": "Attribute 'enabled' in 'pointInTimeRecovery' should be set to true", + "actualValue": "Attribute 'enabled' in 'pointInTimeRecovery' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json index 50322c323b5..4fb19239a84 100644 --- a/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "aws:ec2:Instance", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'monitoring' should be defined and set to true", + "actualValue": "Attribute 'monitoring' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 16, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "aws:ec2:Instance", + "resourceName": "example", + "searchKey": "resources[example].properties.monitoring", + "searchValue": "", + "expectedValue": "Attribute 'monitoring' should be set to true", + "actualValue": "Attribute 'monitoring' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/ec2_not_ebs_optimized/test/positive_expected_result.json b/assets/queries/pulumi/aws/ec2_not_ebs_optimized/test/positive_expected_result.json index 05f043b1d1b..67f1a9b691d 100644 --- a/assets/queries/pulumi/aws/ec2_not_ebs_optimized/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/ec2_not_ebs_optimized/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "EC2 Not EBS Optimized", - "severity": "INFO", - "line": 10, - "fileName": "positive.yaml" - }, - { - "queryName": "EC2 Not EBS Optimized", - "severity": "INFO", - "line": 18, - "fileName": "positive.yaml" - } + { + "queryName": "EC2 Not EBS Optimized", + "severity": "INFO", + "line": 10, + "filename": "positive.yaml", + "resourceType": "aws:ec2:Instance", + "resourceName": "example", + "searchKey": "resources[example].properties.ebsOptimized", + "searchValue": "", + "expectedValue": "Attribute 'ebsOptimized' should be set to true", + "actualValue": "Attribute 'ebsOptimized' is set to false", + "issueType": "IncorrectValue" + }, + { + "queryName": "EC2 Not EBS Optimized", + "severity": "INFO", + "line": 18, + "filename": "positive.yaml", + "resourceType": "aws:ec2:Instance", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'ebsOptimized' should be defined and set to true", + "actualValue": "Attribute 'ebsOptimized' is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json index 601fa6515b7..22eec5f18f8 100644 --- a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json @@ -1,20 +1,41 @@ [ - { - "queryName": "ECS Cluster with Container Insights Disabled", - "severity": "LOW", - "line": 8, - "fileName": "positive1.yaml" - }, - { - "queryName": "ECS Cluster with Container Insights Disabled", - "severity": "LOW", - "line": 8, - "fileName": "positive2.yaml" - }, - { - "queryName": "ECS Cluster with Container Insights Disabled", - "severity": "LOW", - "line": 7, - "fileName": "positive3.yaml" - } + { + "queryName": "ECS Cluster with Container Insights Disabled", + "severity": "LOW", + "line": 8, + "filename": "positive1.yaml", + "resourceType": "aws:ecs:Cluster", + "resourceName": "foo", + "searchKey": "resources[foo].properties.settings", + "searchValue": "", + "expectedValue": "Attribute 'settings' should have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "actualValue": "Attribute 'settings' doesn't have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "issueType": "IncorrectValue" + }, + { + "queryName": "ECS Cluster with Container Insights Disabled", + "severity": "LOW", + "line": 8, + "filename": "positive2.yaml", + "resourceType": "aws:ecs:Cluster", + "resourceName": "foo", + "searchKey": "resources[foo].properties.settings", + "searchValue": "", + "expectedValue": "Attribute 'settings' should have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "actualValue": "Attribute 'settings' doesn't have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "issueType": "IncorrectValue" + }, + { + "queryName": "ECS Cluster with Container Insights Disabled", + "severity": "LOW", + "line": 7, + "filename": "positive3.yaml", + "resourceType": "aws:ecs:Cluster", + "resourceName": "foo", + "searchKey": "resources[foo].properties", + "searchValue": "", + "expectedValue": "Attribute 'settings' should be defined and have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "actualValue": "Attribute 'settings' is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json b/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json index f1cf8a75933..7e130bfef9c 100644 --- a/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "ElastiCache Nodes Not Created Across Multi AZ", - "severity": "MEDIUM", - "line": 10, - "fileName": "positive.yaml" - }, - { - "queryName": "ElastiCache Nodes Not Created Across Multi AZ", - "severity": "MEDIUM", - "line": 18, - "fileName": "positive.yaml" - } + { + "queryName": "ElastiCache Nodes Not Created Across Multi AZ", + "severity": "MEDIUM", + "line": 10, + "filename": "positive.yaml", + "resourceType": "aws:elasticache:Cluster", + "resourceName": "example", + "searchKey": "resources[example].properties.azMode", + "searchValue": "", + "expectedValue": "Attribute 'azMode' should be set to 'cross-az' in multi nodes cluster", + "actualValue": "Attribute 'azMode' is set to single-az", + "issueType": "IncorrectValue" + }, + { + "queryName": "ElastiCache Nodes Not Created Across Multi AZ", + "severity": "MEDIUM", + "line": 18, + "filename": "positive.yaml", + "resourceType": "aws:elasticache:Cluster", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'azMode' should be defined and set to 'cross-az' in multi nodes cluster", + "actualValue": "Attribute 'azMode' is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json b/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json index f3eb496129c..3ef30d5780e 100644 --- a/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "ElastiCache Redis Cluster Without Backup", - "severity": "MEDIUM", - "line": 9, - "fileName": "positive.yaml" - }, - { - "queryName": "ElastiCache Redis Cluster Without Backup", - "severity": "MEDIUM", - "line": 17, - "fileName": "positive.yaml" - } + { + "queryName": "ElastiCache Redis Cluster Without Backup", + "severity": "MEDIUM", + "line": 9, + "filename": "positive.yaml", + "resourceType": "aws:elasticache:Cluster", + "resourceName": "example", + "searchKey": "resources[example].properties.snapshotRetentionLimit", + "searchValue": "", + "expectedValue": "Attribute 'snapshotRetentionLimit' should be set to higher than 0", + "actualValue": "Attribute 'snapshotRetentionLimit' is set to 0", + "issueType": "IncorrectValue" + }, + { + "queryName": "ElastiCache Redis Cluster Without Backup", + "severity": "MEDIUM", + "line": 17, + "filename": "positive.yaml", + "resourceType": "aws:elasticache:Cluster", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'snapshotRetentionLimit' should be defined and set to higher than 0", + "actualValue": "Attribute 'snapshotRetentionLimit' is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/pulumi/aws/elasticsearch_logs_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/elasticsearch_logs_disabled/test/positive_expected_result.json index f71a9571173..9f6bc0006f3 100644 --- a/assets/queries/pulumi/aws/elasticsearch_logs_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/elasticsearch_logs_disabled/test/positive_expected_result.json @@ -1,20 +1,41 @@ [ - { - "queryName": "Elasticsearch Logs Disabled", - "severity": "MEDIUM", - "line": 14, - "fileName": "positive1.yaml" - }, - { - "queryName": "Elasticsearch Logs Disabled", - "severity": "MEDIUM", - "line": 17, - "fileName": "positive2.yaml" - }, - { - "queryName": "Elasticsearch Logs Disabled", - "severity": "MEDIUM", - "line": 18, - "fileName": "positive3.yaml" - } + { + "queryName": "Elasticsearch Logs Disabled", + "severity": "MEDIUM", + "line": 14, + "filename": "positive1.yaml", + "resourceType": "aws:elasticsearch:Domain", + "resourceName": "exampleDomain", + "searchKey": "resources.exampleDomain.properties", + "searchValue": "", + "expectedValue": "Attribute 'logPublishingOptions' should be defined", + "actualValue": "Attribute 'logPublishingOptions' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Elasticsearch Logs Disabled", + "severity": "MEDIUM", + "line": 17, + "filename": "positive2.yaml", + "resourceType": "aws:elasticsearch:Domain", + "resourceName": "exampleDomain", + "searchKey": "resources.exampleDomain.properties.logPublishingOptions[0].logType", + "searchValue": "", + "expectedValue": "Attribute 'enabled' should be defined and set to 'true'", + "actualValue": "Attribute 'enabled' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Elasticsearch Logs Disabled", + "severity": "MEDIUM", + "line": 18, + "filename": "positive3.yaml", + "resourceType": "aws:elasticsearch:Domain", + "resourceName": "exampleDomain", + "searchKey": "resources.exampleDomain.properties.logPublishingOptions[0].logType", + "searchValue": "", + "expectedValue": "Attribute 'enabled' should be set to 'true'", + "actualValue": "Attribute 'enabled' is set to 'false'", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json index 4a76d1cc1b0..0beacf62270 100644 --- a/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 31, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "aws.elasticsearch.Domain", + "resourceName": "0", + "searchKey": "resources[%!s(int=0)].properties.domainEndpointOptions.enforceHTTPS", + "searchValue": "", + "expectedValue": "resources[%!s(int=0)].properties.domainEndpointOptions.enforceHTTPS should be set to 'true'", + "actualValue": "resources[%!s(int=0)].properties.domainEndpointOptions.enforceHTTPS is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/iam_password_without_minimum_length/test/positive_expected_result.json b/assets/queries/pulumi/aws/iam_password_without_minimum_length/test/positive_expected_result.json index 152fb7347ec..4cd878cbfe4 100644 --- a/assets/queries/pulumi/aws/iam_password_without_minimum_length/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/iam_password_without_minimum_length/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "IAM Password Without Minimum Length", "severity": "LOW", "line": 7, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "aws:iam:AccountPasswordPolicy", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'minimumPasswordLength' should be defined and set to 14 or higher", + "actualValue": "Attribute 'minimumPasswordLength' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", "line": 16, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "aws:iam:AccountPasswordPolicy", + "resourceName": "example", + "searchKey": "resources[example].properties.minimumPasswordLength", + "searchValue": "", + "expectedValue": "Attribute 'minimumPasswordLength' should be set to 14 or higher", + "actualValue": "Attribute 'minimumPasswordLength' is set to less than 14", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index 3a0189f4d2f..6f525859ba7 100644 --- a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 17, - "fileName": "positive1.yaml" + "filename": "positive1.yaml", + "resourceType": "aws:rds:Instance", + "resourceName": "default", + "searchKey": "resources[default].properties.publiclyAccessible", + "searchValue": "", + "expectedValue": "'resources.default.properties.publiclyAccessible' should be set to 'false'", + "actualValue": "'resources.default.properties.publiclyAccessible' is set to 'true'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json b/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json index 74ec4256eda..27765e2fd0b 100644 --- a/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json +++ b/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Redis Cache Allows Non SSL Connections", - "severity": "MEDIUM", - "line": 8, - "fileName": "positive.yaml" - } + { + "queryName": "Redis Cache Allows Non SSL Connections", + "severity": "MEDIUM", + "line": 8, + "filename": "positive.yaml", + "resourceType": "azure-native:cache:Redis", + "resourceName": "redis", + "searchKey": "resources[redis].properties.enableNonSslPort", + "searchValue": "", + "expectedValue": "Redis Cache should have attribute 'enableNonSslPort' set to false", + "actualValue": "Redis Cache has attribute 'enableNonSslPort' set to true", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/pulumi/azure/storage_account_not_forcing_https/test/positive_expected_result.json b/assets/queries/pulumi/azure/storage_account_not_forcing_https/test/positive_expected_result.json index c6ab89b625e..d43771f3c87 100644 --- a/assets/queries/pulumi/azure/storage_account_not_forcing_https/test/positive_expected_result.json +++ b/assets/queries/pulumi/azure/storage_account_not_forcing_https/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", "line": 9, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "azure-native:storage:StorageAccount", + "resourceName": "storageAccount", + "searchKey": "resources[storageAccount].properties.enableHttpsTrafficOnly", + "searchValue": "", + "expectedValue": "Storage Account should have attribute 'enableHttpsTrafficOnly' set to true", + "actualValue": "Storage Account has attribute 'enableHttpsTrafficOnly' set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json b/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json index cdc97e3eab8..65b5a40f459 100644 --- a/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Cloud Storage Bucket Logging Not Enabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "gcp:storage:Bucket", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Storage Bucket should have attribute 'logging' defined", + "actualValue": "Storage Bucket attribute 'logging' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json b/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json index 1075917af2f..e3171e8884b 100644 --- a/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json +++ b/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Google Compute SSL Policy Weak Cipher In Use", - "severity": "MEDIUM", - "line": 7, - "fileName": "positive.yaml" - }, - { - "queryName": "Google Compute SSL Policy Weak Cipher In Use", - "severity": "MEDIUM", - "line": 16, - "fileName": "positive.yaml" - } + { + "queryName": "Google Compute SSL Policy Weak Cipher In Use", + "severity": "MEDIUM", + "line": 7, + "filename": "positive.yaml", + "resourceType": "gcp:compute:SSLPolicy", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "SSLPolicy should have 'minTlsVersion' defined and set to 'TLS_1_2'", + "actualValue": "SSLPolicy 'minTlsVersion' attribute is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Google Compute SSL Policy Weak Cipher In Use", + "severity": "MEDIUM", + "line": 16, + "filename": "positive.yaml", + "resourceType": "gcp:compute:SSLPolicy", + "resourceName": "example", + "searchKey": "resources[example].properties.minTlsVersion", + "searchValue": "", + "expectedValue": "SSLPolicy should have 'minTlsVersion' set to 'TLS_1_2'", + "actualValue": "SSLPolicy 'minTlsVersion' attribute is set to TLS_1_1", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/pulumi/kubernetes/missing_app_armor_config/test/positive_expected_result.json b/assets/queries/pulumi/kubernetes/missing_app_armor_config/test/positive_expected_result.json index bb03452d61c..44475966547 100644 --- a/assets/queries/pulumi/kubernetes/missing_app_armor_config/test/positive_expected_result.json +++ b/assets/queries/pulumi/kubernetes/missing_app_armor_config/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Missing App Armor Config", "severity": "MEDIUM", "line": 8, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "kubernetes:core/v1:Pod", + "resourceName": "pod", + "searchKey": "resources[pod].properties.metadata", + "searchValue": "", + "expectedValue": "Pod should have annotation 'container.apparmor.security.beta.kubernetes.io' defined", + "actualValue": "Pod does not have annotations defined in metadata", + "issueType": "MissingAttribute" }, { "queryName": "Missing App Armor Config", "severity": "MEDIUM", "line": 25, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "kubernetes:core/v1:Pod", + "resourceName": "pod", + "searchKey": "resources[pod].properties.metadata", + "searchValue": "", + "expectedValue": "Pod should have annotation 'container.apparmor.security.beta.kubernetes.io' defined", + "actualValue": "Pod does not have annotations defined in metadata", + "issueType": "MissingAttribute" }, { "queryName": "Missing App Armor Config", "severity": "MEDIUM", "line": 42, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "kubernetes:core/v1:Pod", + "resourceName": "pod", + "searchKey": "resources[pod].properties.metadata.annotations", + "searchValue": "", + "expectedValue": "Pod should have annotation 'container.apparmor.security.beta.kubernetes.io' defined", + "actualValue": "Pod does not have annotation 'container.apparmor.security.beta.kubernetes.io' defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/kubernetes/psp_set_to_privileged/test/positive_expected_result.json b/assets/queries/pulumi/kubernetes/psp_set_to_privileged/test/positive_expected_result.json index d68ff20ecd3..937e1084c79 100644 --- a/assets/queries/pulumi/kubernetes/psp_set_to_privileged/test/positive_expected_result.json +++ b/assets/queries/pulumi/kubernetes/psp_set_to_privileged/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "PSP Set To Privileged", "severity": "HIGH", "line": 11, - "fileName": "positive.yaml" + "filename": "positive.yaml", + "resourceType": "kubernetes:policy/v1beta1:PodSecurityPolicy", + "resourceName": "example", + "searchKey": "resources[example].properties.spec.privileged", + "searchValue": "", + "expectedValue": "PSP should have 'privileged' set to false or not defined", + "actualValue": "PSP has 'privileged' set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json index 951599524db..d747c505cbd 100644 --- a/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Serverless API Access Logging Setting Undefined", "severity": "MEDIUM", "line": 17, - "fileName": "positive1.yml" + "filename": "positive1.yml", + "resourceType": "AWS::ApiGateway", + "resourceName": "myservice", + "searchKey": "provider.logs.restApi.accessLogging", + "searchValue": "", + "expectedValue": "provider.logs.restApi should have 'accessLogging' set to true", + "actualValue": "provider.logs.restApi has 'accessLogging' set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/test/positive_expected_result.json index 3681cfe75d3..cf970a5bcc2 100644 --- a/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Serverless API Endpoint Config Not Private", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.yml" + "filename": "positive1.yml", + "resourceType": "AWS::ApiGateway", + "resourceName": "my-service", + "searchKey": "provider", + "searchValue": "", + "expectedValue": "endpointType should be defined and set to PRIVATE", + "actualValue": "endpointType is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Serverless API Endpoint Config Not Private", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.yml" + "filename": "positive2.yml", + "resourceType": "AWS::ApiGateway", + "resourceName": "my-service", + "searchKey": "provider.endpointType", + "searchValue": "", + "expectedValue": "endpointType should be set to PRIVATE", + "actualValue": "endpointType is not set to PRIVATE", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/serverlessFW/serverless_api_without_content_encoding/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_api_without_content_encoding/test/positive_expected_result.json index 3e2ab32bd5a..1f2df0ff7b1 100644 --- a/assets/queries/serverlessFW/serverless_api_without_content_encoding/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_api_without_content_encoding/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Serverless API Without Content Encoding", "severity": "LOW", "line": 5, - "fileName": "positive1.yml" + "filename": "positive1.yml", + "resourceType": "AWS::ApiGateway", + "resourceName": "my-service", + "searchKey": "provider.apiGateway", + "searchValue": "", + "expectedValue": "apiGateway should have 'minimumCompressionSize' defined and set to a recommended value", + "actualValue": "apiGateway does not have 'minimumCompressionSize' defined", + "issueType": "MissingAttribute" }, { "queryName": "Serverless API Without Content Encoding", "severity": "LOW", "line": 6, - "fileName": "positive2.yml" + "filename": "positive2.yml", + "resourceType": "AWS::ApiGateway", + "resourceName": "my-service", + "searchKey": "provider.apiGateway.minimumCompressionSize", + "searchValue": "", + "expectedValue": "'minimumCompressionSize' should be set to a recommended value", + "actualValue": "'minimumCompressionSize' is set a unrecommended value", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/test/positive_expected_result.json index 6e81798ca68..6cd25ca0866 100644 --- a/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Serverless API X-Ray Tracing Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yml" + "filename": "positive1.yml", + "resourceType": "AWS::ApiGateway", + "resourceName": "my-service", + "searchKey": "provider.tracing.apiGateway", + "searchValue": "", + "expectedValue": "tracing should have 'apiGateway' set to true", + "actualValue": "'apiGateway' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Serverless API X-Ray Tracing Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.yml" + "filename": "positive2.yml", + "resourceType": "AWS::ApiGateway", + "resourceName": "my-service", + "searchKey": "provider.tracing", + "searchValue": "", + "expectedValue": "tracing should have 'apiGateway' defined and set to true", + "actualValue": "'apiGateway' is not defined within tracing", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json index 8cf9e285b5c..c4d940ca380 100644 --- a/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Serverless Function Environment Variables Not Encrypted", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yml" + "filename": "positive1.yml", + "resourceType": "", + "resourceName": "", + "searchKey": "provider", + "searchValue": "", + "expectedValue": "'kmsKeyArn' should be defined inside the provider", + "actualValue": "'kmsKeyArn' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Serverless Function Environment Variables Not Encrypted", "severity": "MEDIUM", "line": 12, - "fileName": "positive1.yml" + "filename": "positive1.yml", + "resourceType": "AWS::Lambda", + "resourceName": "hello", + "searchKey": "functions.hello", + "searchValue": "", + "expectedValue": "'kmsKeyArn' should be defined inside the function", + "actualValue": "'kmsKeyArn' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Serverless Function Environment Variables Not Encrypted", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.yml" + "filename": "positive2.yml", + "resourceType": "", + "resourceName": "", + "searchKey": "provider", + "searchValue": "", + "expectedValue": "'kmsKeyArn' should be defined inside the provider", + "actualValue": "'kmsKeyArn' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/test/positive_expected_result.json index 73f4f272ff6..1463f5f473c 100644 --- a/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Serverless Function Without Dead Letter Queue", "severity": "LOW", "line": 8, - "fileName": "positive1.yml" + "filename": "positive1.yml", + "resourceType": "AWS::Lambda", + "resourceName": "hello", + "searchKey": "functions.hello", + "searchValue": "", + "expectedValue": "'onError' should be defined inside the function", + "actualValue": "'onError' is not defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/serverlessFW/serverless_function_without_tags/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_without_tags/test/positive_expected_result.json index 741020c2f46..df62e22df1f 100644 --- a/assets/queries/serverlessFW/serverless_function_without_tags/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_without_tags/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Serverless Function Without Tags", "severity": "LOW", "line": 8, - "fileName": "positive1.yml" + "filename": "positive1.yml", + "resourceType": "AWS::Lambda", + "resourceName": "hello", + "searchKey": "functions.hello", + "searchValue": "", + "expectedValue": "'tags' should be defined inside the function", + "actualValue": "'tags' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/positive_expected_result.json index ecd2c6cc8e9..c274f254afd 100644 --- a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Serverless Function Without Unique IAM Role", "severity": "HIGH", "line": 8, - "fileName": "positive1.yml" + "filename": "positive1.yml", + "resourceType": "AWS::Lambda", + "resourceName": "hello", + "searchKey": "functions.hello", + "searchValue": "", + "expectedValue": "'role' should be defined inside the function", + "actualValue": "'role' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Serverless Function Without Unique IAM Role", "severity": "HIGH", "line": 8, - "fileName": "positive2.yml" + "filename": "positive2.yml", + "resourceType": "AWS::Lambda", + "resourceName": "hello", + "searchKey": "functions[%!s(int=0)].hello", + "searchValue": "", + "expectedValue": "'role' should be defined inside the function", + "actualValue": "'role' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/test/positive_expected_result.json index 9f0f7fb945f..62794054503 100644 --- a/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Serverless Function Without X-Ray Tracing", "severity": "LOW", "line": 14, - "fileName": "positive1.yml" + "filename": "positive1.yml", + "resourceType": "AWS::Lambda", + "resourceName": "hello", + "searchKey": "functions.hello.tracing", + "searchValue": "", + "expectedValue": "'tracing' should be set to Active", + "actualValue": "'tracing' is not set to Active", + "issueType": "IncorrectValue" }, { "queryName": "Serverless Function Without X-Ray Tracing", "severity": "LOW", "line": 8, - "fileName": "positive2.yml" + "filename": "positive2.yml", + "resourceType": "AWS::Lambda", + "resourceName": "hello", + "searchKey": "functions.hello", + "searchValue": "", + "expectedValue": "'tracing' should be defined and set to Active", + "actualValue": "'tracing' is not defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/serverlessFW/serverless_role_with_full_privileges/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_role_with_full_privileges/test/positive_expected_result.json index b3f9f663401..6d3f5929bce 100644 --- a/assets/queries/serverlessFW/serverless_role_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_role_with_full_privileges/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Serverless Role With Full Privileges", "severity": "HIGH", "line": 11, - "fileName": "positive1.yml" + "filename": "positive1.yml", + "resourceType": "AWS::IAM", + "resourceName": "custom-role-name", + "searchKey": "provider.iam.role.statements[0]", + "searchValue": "", + "expectedValue": "Statement should not give admin privileges", + "actualValue": "Statement gives admin privileges", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json index 0565aeb415a..d192a104a31 100644 --- a/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json @@ -3,84 +3,182 @@ "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail2].trail_region", + "searchValue": "", + "expectedValue": "'trail_region' should be set to All", + "actualValue": "'trail_region' is not set to All", + "issueType": "IncorrectValue" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.tf" + "line": 5, + "filename": "positive2.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail3].event_rw", + "searchValue": "", + "expectedValue": "'event_rw' should be set to All", + "actualValue": "'event_rw' is not set to All", + "issueType": "IncorrectValue" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive2.tf" + "line": 6, + "filename": "positive2.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail3].trail_region", + "searchValue": "", + "expectedValue": "'trail_region' should be set to All", + "actualValue": "'trail_region' is not set to All", + "issueType": "IncorrectValue" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive3.tf" + "line": 5, + "filename": "positive3.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail4].event_rw", + "searchValue": "", + "expectedValue": "'event_rw' should be set to All", + "actualValue": "'event_rw' is not set to All", + "issueType": "IncorrectValue" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive3.tf" + "line": 6, + "filename": "positive3.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail4].trail_region", + "searchValue": "", + "expectedValue": "'trail_region' should be set to All", + "actualValue": "'trail_region' is not set to All", + "issueType": "IncorrectValue" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail5].trail_region", + "searchValue": "", + "expectedValue": "'trail_region' should be set to All", + "actualValue": "'trail_region' is not set to All", + "issueType": "IncorrectValue" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail6].event_rw", + "searchValue": "", + "expectedValue": "'event_rw' should be set to All", + "actualValue": "'event_rw' is not set to All", + "issueType": "IncorrectValue" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail6].trail_region", + "searchValue": "", + "expectedValue": "'trail_region' should be set to All", + "actualValue": "'trail_region' is not set to All", + "issueType": "IncorrectValue" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail7].event_rw", + "searchValue": "", + "expectedValue": "'event_rw' should be set to All", + "actualValue": "'event_rw' is not set to All", + "issueType": "IncorrectValue" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail7].trail_region", + "searchValue": "", + "expectedValue": "'trail_region' should be set to All", + "actualValue": "'trail_region' is not set to All", + "issueType": "IncorrectValue" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive7.tf" + "filename": "positive7.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail8]", + "searchValue": "trail_region", + "expectedValue": "'trail_region' should be set.", + "actualValue": "'trail_region' is not set.", + "issueType": "MissingAttribute" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive8.tf" + "filename": "positive8.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail9]", + "searchValue": "event_rw", + "expectedValue": "'event_rw' should be set.", + "actualValue": "'event_rw' is not set.", + "issueType": "MissingAttribute" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive9.tf" + "filename": "positive9.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail10]", + "searchValue": "event_rw", + "expectedValue": "'event_rw' should be set.", + "actualValue": "'event_rw' is not set.", + "issueType": "MissingAttribute" }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive9.tf" + "filename": "positive9.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail10]", + "searchValue": "oss_bucket_name", + "expectedValue": "oss_bucket_name should be set.", + "actualValue": "oss_bucket_name is not set.", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json index 2928f9afc52..d99f2c1efb0 100644 --- a/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "ActionTrail Trail OSS Bucket is Publicly Accessible", "severity": "HIGH", "line": 3, - "fileName": "positive2.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "actiontrail3", + "searchKey": "alicloud_oss_bucket[actiontrail3].acl", + "searchValue": "", + "expectedValue": "'alicloud_oss_bucket[actiontrail3].oss_bucket_name' is private", + "actualValue": "'alicloud_oss_bucket[actiontrail3].oss_bucket_name' is public-read", + "issueType": "IncorrectValue" }, { "queryName": "ActionTrail Trail OSS Bucket is Publicly Accessible", "severity": "HIGH", "line": 3, - "fileName": "positive1.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "actiontrail4", + "searchKey": "alicloud_oss_bucket[actiontrail4].acl", + "searchValue": "", + "expectedValue": "'alicloud_oss_bucket[actiontrail4].oss_bucket_name' is private", + "actualValue": "'alicloud_oss_bucket[actiontrail4].oss_bucket_name' is public-read-write", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/alicloud/alb_listening_on_http/test/positive_expected_result.json b/assets/queries/terraform/alicloud/alb_listening_on_http/test/positive_expected_result.json index 04690e063a8..1204cfb2866 100644 --- a/assets/queries/terraform/alicloud/alb_listening_on_http/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/alb_listening_on_http/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", "line": 3, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "alicloud_alb_listener", + "resourceName": "positive", + "searchKey": "alicloud_alb_listener[positive].listener_protocol", + "searchValue": "", + "expectedValue": "'alicloud_alb_listener[positive].listener_protocol' should not be 'HTTP'", + "actualValue": "'alicloud_alb_listener[positive].listener_protocol' is 'HTTP'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/test/positive_expected_result.json b/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/test/positive_expected_result.json index 557e90971b5..fbdb48b85ea 100644 --- a/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "API Gateway API Protocol Not HTTPS", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_api_gateway_api", + "resourceName": "${alicloud_api_gateway_group.apiGroup.name}", + "searchKey": "alicloud_api_gateway_api[apiGatewayApi].request_config.protocol", + "searchValue": "", + "expectedValue": "'protocol' value should be 'HTTPS'", + "actualValue": "'protocol' value is 'HTTP' or 'HTTP,HTTPS'", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway API Protocol Not HTTPS", "severity": "MEDIUM", "line": 14, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_api_gateway_api", + "resourceName": "${alicloud_api_gateway_group.apiGroup.name}", + "searchKey": "alicloud_api_gateway_api[apiGatewayApi].request_config.protocol", + "searchValue": "", + "expectedValue": "'protocol' value should be 'HTTPS'", + "actualValue": "'protocol' value is 'HTTP' or 'HTTP,HTTPS'", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway API Protocol Not HTTPS", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_api_gateway_api", + "resourceName": "${alicloud_api_gateway_group.apiGroup.name}", + "searchKey": "alicloud_api_gateway_api[apiGatewayApi].request_config.protocol", + "searchValue": "", + "expectedValue": "'protocol' value should be 'HTTPS'", + "actualValue": "'protocol' value is 'HTTP' or 'HTTP,HTTPS'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/cmk_is_unusable/test/positive_expected_result.json b/assets/queries/terraform/alicloud/cmk_is_unusable/test/positive_expected_result.json index 3c0a7d0dbae..2ce2ebb0a71 100644 --- a/assets/queries/terraform/alicloud/cmk_is_unusable/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/cmk_is_unusable/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "CMK Is Unusable", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "CMK Is Unusable", - "severity": "MEDIUM", - "line": 5, - "fileName": "positive2.tf" - } + { + "queryName": "CMK Is Unusable", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.tf", + "resourceType": "alicloud_kms_key", + "resourceName": "key", + "searchKey": "alicloud_kms_key[key]", + "searchValue": "", + "expectedValue": "alicloud_kms_key[key].is_enabled should be set to true", + "actualValue": "alicloud_kms_key[key].is_enabled is not set", + "issueType": "MissingAttribute" + }, + { + "queryName": "CMK Is Unusable", + "severity": "MEDIUM", + "line": 5, + "filename": "positive2.tf", + "resourceType": "alicloud_kms_key", + "resourceName": "key", + "searchKey": "alicloud_kms_key[key].is_enabled", + "searchValue": "", + "expectedValue": "alicloud_kms_key[key].is_enabled should be set to true", + "actualValue": "alicloud_kms_key[key].is_enabled is set to false", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/test/positive_expected_result.json index 77089e414f3..5a9a42be3cc 100644 --- a/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/test/positive_expected_result.json @@ -1,20 +1,41 @@ [ - { - "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", - "severity": "MEDIUM", - "line": 17, - "fileName": "positive2.tf" - }, - { - "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", - "severity": "MEDIUM", - "line": 16, - "fileName": "positive3.tf" - } + { + "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.tf", + "resourceType": "alicloud_cs_kubernetes_node_pool", + "resourceName": "${var.name}", + "searchKey": "alicloud_cs_kubernetes_node_pool[default2]", + "searchValue": "", + "expectedValue": "For the resource alicloud_cs_kubernetes_node_pool[default2] to have a 'management' block containing 'auto_repair' set to true.", + "actualValue": "The resource alicloud_cs_kubernetes_node_pool[default2] does not have a 'management' block.", + "issueType": "MissingAttribute" + }, + { + "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", + "severity": "MEDIUM", + "line": 17, + "filename": "positive2.tf", + "resourceType": "alicloud_cs_kubernetes_node_pool", + "resourceName": "${var.name}", + "searchKey": "alicloud_cs_kubernetes_node_pool[default3].resource.management.auto_repair ", + "searchValue": "", + "expectedValue": "For the resource alicloud_cs_kubernetes_node_pool[default3] to have 'auto_repair' set to true.", + "actualValue": "The resource alicloud_cs_kubernetes_node_pool[default3] has 'auto_repair' set to false.", + "issueType": "IncorrectValue" + }, + { + "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", + "severity": "MEDIUM", + "line": 16, + "filename": "positive3.tf", + "resourceType": "alicloud_cs_kubernetes_node_pool", + "resourceName": "${var.name}", + "searchKey": "alicloud_cs_kubernetes_node_pool[default4].management", + "searchValue": "", + "expectedValue": "For the resource alicloud_cs_kubernetes_node_pool[default4] to have a 'management' block containing 'auto_repair' set to true.", + "actualValue": "The resource alicloud_cs_kubernetes_node_pool[default4] has a 'management' block but it doesn't contain 'auto_repair' ", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/terraform/alicloud/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/disk_encryption_disabled/test/positive_expected_result.json index 308fd94b288..57d2e1dbf38 100644 --- a/assets/queries/terraform/alicloud/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/disk_encryption_disabled/test/positive_expected_result.json @@ -2,13 +2,27 @@ { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 8, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "alicloud_disk", + "resourceName": "New-disk", + "searchKey": "alicloud_disk[disk_encryption1]", + "searchValue": "", + "expectedValue": "[disk_encryption1] has encryption enabled", + "actualValue": "[disk_encryption1] does not have encryption enabled", + "issueType": "MissingAttribute" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" + "line": 8, + "filename": "positive2.tf", + "resourceType": "alicloud_disk", + "resourceName": "New-disk", + "searchKey": "alicloud_disk[disk_encryption2].encrypted", + "searchValue": "", + "expectedValue": "[disk_encryption2] has encryption set to true", + "actualValue": "[disk_encryption2] has encryption set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/test/positive_expected_result.json index 960092e47e1..85c41af67d1 100644 --- a/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Ecs Data Disk Kms Key Id Undefined", "severity": "HIGH", "line": 2, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_disk", + "resourceName": "New-disk", + "searchKey": "alicloud_disk[ecs_disk]", + "searchValue": "", + "expectedValue": "[ecs_disk] has kms key id defined", + "actualValue": "[ecs_disk] does not have kms key id defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/alicloud/high_kms_key_rotation_period/test/positive_expected_result.json b/assets/queries/terraform/alicloud/high_kms_key_rotation_period/test/positive_expected_result.json index 1d05db81692..95695e00b4a 100644 --- a/assets/queries/terraform/alicloud/high_kms_key_rotation_period/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/high_kms_key_rotation_period/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "High KMS Key Rotation Period", "severity": "MEDIUM", "line": 5, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "alicloud_kms_key", + "resourceName": "keypos1", + "searchKey": "alicloud_kms_key[keypos1].rotation_interval", + "searchValue": "", + "expectedValue": "'automatic_rotation' should be set to Enabled", + "actualValue": "'automatic_rotation' is set to Disabled", + "issueType": "IncorrectValue" }, { "queryName": "High KMS Key Rotation Period", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_kms_key", + "resourceName": "keypos1", + "searchKey": "alicloud_kms_key[keypos1].rotation_interval", + "searchValue": "", + "expectedValue": "'rotation_interval' value should not be higher than a year", + "actualValue": "'rotation_interval' value is higher than a year", + "issueType": "IncorrectValue" }, { "queryName": "High KMS Key Rotation Period", "severity": "MEDIUM", "line": 6, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "alicloud_kms_key", + "resourceName": "keypos1", + "searchKey": "alicloud_kms_key[keypos1].rotation_interval", + "searchValue": "", + "expectedValue": "'rotation_interval' value should not be higher than a year", + "actualValue": "'rotation_interval' value is higher than a year", + "issueType": "IncorrectValue" }, { "queryName": "High KMS Key Rotation Period", "severity": "MEDIUM", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "alicloud_kms_key", + "resourceName": "keypos1", + "searchKey": "alicloud_kms_key[keypos1].rotation_interval", + "searchValue": "", + "expectedValue": "'automatic_rotation' should be defined and set to Enabled", + "actualValue": "'automatic_rotation' is not defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json b/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json index d8a89d699eb..247bafa47d5 100644 --- a/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Kubernetes Cluster Without Terway as CNI Network Plugin", "severity": "LOW", "line": 15, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_cs_kubernetes", + "resourceName": "positive1", + "searchKey": "alicloud_cs_kubernetes[positive1]", + "searchValue": "terway-eniip", + "expectedValue": "alicloud_cs_kubernetes[positive1].addons specifies the terway-eniip", + "actualValue": "alicloud_cs_kubernetes[positive1].addons does not specify the terway-eniip", + "issueType": "MissingAttribute" }, { "queryName": "Kubernetes Cluster Without Terway as CNI Network Plugin", "severity": "LOW", "line": 15, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_cs_kubernetes", + "resourceName": "positive1", + "searchKey": "alicloud_cs_kubernetes[positive1]", + "searchValue": "pod_vswitch_ids", + "expectedValue": "alicloud_cs_kubernetes[positive1].pod_vswitch_ids should be defined and not null", + "actualValue": "alicloud_cs_kubernetes[positive1].pod_vswitch_ids is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Kubernetes Cluster Without Terway as CNI Network Plugin", "severity": "LOW", "line": 15, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_cs_kubernetes", + "resourceName": "positive2", + "searchKey": "alicloud_cs_kubernetes[positive2]", + "searchValue": "pod_vswitch_ids", + "expectedValue": "alicloud_cs_kubernetes[positive2].pod_vswitch_ids should be defined and not null", + "actualValue": "alicloud_cs_kubernetes[positive2].pod_vswitch_ids is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Kubernetes Cluster Without Terway as CNI Network Plugin", "severity": "LOW", "line": 15, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "alicloud_cs_kubernetes", + "resourceName": "positive3", + "searchKey": "alicloud_cs_kubernetes[positive3]", + "searchValue": "terway-eniip", + "expectedValue": "alicloud_cs_kubernetes[positive3].addons specifies the terway-eniip", + "actualValue": "alicloud_cs_kubernetes[positive3].addons does not specify the terway-eniip", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/test/positive_expected_result.json index 22668d31663..a0351d0105d 100644 --- a/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Launch Template Is Not Encrypted", "severity": "HIGH", "line": 36, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_launch_template", + "resourceName": "tf-test-template", + "searchKey": "alicloud_launch_template[templatepos1].encrypted", + "searchValue": "", + "expectedValue": "alicloud_launch_template[templatepos1].encrypted should be true", + "actualValue": "alicloud_launch_template[templatepos1].encrypted is false", + "issueType": "IncorrectValue" }, { "queryName": "Launch Template Is Not Encrypted", "severity": "HIGH", "line": 8, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_launch_template", + "resourceName": "tf-test-template", + "searchKey": "alicloud_launch_template[templatepos2]", + "searchValue": "", + "expectedValue": "alicloud_launch_template[templatepos2] 'encrypted' should be defined and set to true", + "actualValue": "alicloud_launch_template[templatepos2] 'encrypted' argument is not defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/test/positive_expected_result.json b/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/test/positive_expected_result.json index 328dd55e0fd..04912ec4512 100644 --- a/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Log Retention Is Not Greater Than 90 Days", "severity": "LOW", "line": 6, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_log_store", + "resourceName": "tf-log-store", + "searchKey": "alicloud_log_store[example2]", + "searchValue": "", + "expectedValue": "For attribute 'retention_period' should be set and over 90 days.", + "actualValue": "The attribute 'retention_period' is undefined. The default duration when undefined is 30 days, which is too short.", + "issueType": "MissingAttribute" }, { "queryName": "Log Retention Is Not Greater Than 90 Days", "severity": "LOW", "line": 9, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_log_store", + "resourceName": "tf-log-store", + "searchKey": "alicloud_log_store[example4].retention_period", + "searchValue": "", + "expectedValue": "For the attribite 'retention_period' should be set to 90+ days", + "actualValue": "The attribute 'retention_period' is not set to 90+ days", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/test/positive_expected_result.json index be95c4a5441..f1660784d80 100644 --- a/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "NAS File System Not Encrypted", "severity": "HIGH", "line": 5, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "alicloud_nas_file_system", + "resourceName": "foopos", + "searchKey": "alicloud_nas_file_system[foopos].encrypt_type", + "searchValue": "", + "expectedValue": "alicloud_nas_file_system[foopos].encrypt_type' should not be 0", + "actualValue": "alicloud_nas_file_system[foopos].encrypt_type' is 0", + "issueType": "IncorrectValue" }, { "queryName": "NAS File System Not Encrypted", "severity": "HIGH", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_nas_file_system", + "resourceName": "foopos2", + "searchKey": "alicloud_nas_file_system[foopos2]", + "searchValue": "", + "expectedValue": "alicloud_nas_file_system[foopos2].encrypt_type' should be defined and the value different from 0 ", + "actualValue": "alicloud_nas_file_system[foopos2].encrypt_type' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/alicloud/nas_file_system_without_kms/test/positive_expected_result.json b/assets/queries/terraform/alicloud/nas_file_system_without_kms/test/positive_expected_result.json index 21c252eb2f3..dfb0f669a3d 100644 --- a/assets/queries/terraform/alicloud/nas_file_system_without_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/nas_file_system_without_kms/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "NAS File System Without KMS", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - }, - { - "queryName": "NAS File System Without KMS", - "severity": "HIGH", - "line": 5, - "fileName": "positive2.tf" - } + { + "queryName": "NAS File System Without KMS", + "severity": "HIGH", + "line": 1, + "filename": "positive.tf", + "resourceType": "alicloud_nas_file_system", + "resourceName": "foo", + "searchKey": "alicloud_nas_file_system[foo]", + "searchValue": "", + "expectedValue": "alicloud_nas_file_system[foo].encrypt_type' should be defined and set to 2'", + "actualValue": "alicloud_nas_file_system[foo].encrypt_type' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "NAS File System Without KMS", + "severity": "HIGH", + "line": 5, + "filename": "positive2.tf", + "resourceType": "alicloud_nas_file_system", + "resourceName": "fooabr", + "searchKey": "alicloud_nas_file_system[fooabr]", + "searchValue": "", + "expectedValue": "alicloud_nas_file_system[fooabr].encrypt_type' should be set to 2'", + "actualValue": "alicloud_nas_file_system[fooabr].encrypt_type' is not set to 2 ", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/alicloud/no_ros_stack_policy/test/positive_expected_result.json b/assets/queries/terraform/alicloud/no_ros_stack_policy/test/positive_expected_result.json index 3c52d537f01..24d0c0dd624 100644 --- a/assets/queries/terraform/alicloud/no_ros_stack_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/no_ros_stack_policy/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "No ROS Stack Policy", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "alicloud_ros_stack", + "resourceName": "tf-testaccstack", + "searchKey": "alicloud_ros_stack[pos]", + "searchValue": "stack_policy", + "expectedValue": "The stack should have the attribute 'stack_policy_body' or 'stack_policy_url' defined", + "actualValue": "The stack has neither 'stack_policy_body' nor 'stack_policy_url' defined", + "issueType": "MissingAttribute" }, { "queryName": "No ROS Stack Policy", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "alicloud_ros_stack", + "resourceName": "tf-testaccstack", + "searchKey": "alicloud_ros_stack[pos]", + "searchValue": "stack_policy_during_update", + "expectedValue": "The stack should have the attribute 'stack_policy_during_update_body' or 'stack_policy_during_update_url' defined", + "actualValue": "The stack has neither 'stack_policy_during_update_body' nor 'stack_policy_during_update_url' defined", + "issueType": "MissingAttribute" }, { "queryName": "No ROS Stack Policy", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_ros_stack", + "resourceName": "tf-testaccstack", + "searchKey": "alicloud_ros_stack[pos2]", + "searchValue": "stack_policy_during_update", + "expectedValue": "The stack should have the attribute 'stack_policy_during_update_body' or 'stack_policy_during_update_url' defined", + "actualValue": "The stack has neither 'stack_policy_during_update_body' nor 'stack_policy_during_update_url' defined", + "issueType": "MissingAttribute" }, { "queryName": "No ROS Stack Policy", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "alicloud_ros_stack", + "resourceName": "tf-testaccstack", + "searchKey": "alicloud_ros_stack[pos3]", + "searchValue": "stack_policy", + "expectedValue": "The stack should have the attribute 'stack_policy_body' or 'stack_policy_url' defined", + "actualValue": "The stack has neither 'stack_policy_body' nor 'stack_policy_url' defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/test/positive_expected_result.json index 505f27742ab..c6dda2f17cd 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "OSS Bucket Allows All Actions From All Principals", "severity": "CRITICAL", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-policy1", + "searchKey": "alicloud_oss_bucket[bucket-policy1].policy", + "searchValue": "", + "expectedValue": "alicloud_oss_bucket[bucket-policy1].policy to not accept delete action from all principals", + "actualValue": "alicloud_oss_bucket[bucket-policy1].policy accepts delete action from all principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/test/positive_expected_result.json index 50ab8630f18..0167d3414e3 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "OSS Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-1-policy", + "searchKey": "alicloud_oss_bucket[bucket-policy1].policy", + "searchValue": "", + "expectedValue": "alicloud_oss_bucket[bucket-policy1].policy to not accept delete action from all principals", + "actualValue": "alicloud_oss_bucket[bucket-policy1].policy accepts delete action from all principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json index 738e8a0babd..1419fd6e221 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "OSS Bucket Allows List Action From All Principals", - "severity": "HIGH", - "line": 5, - "fileName": "positive1.tf" - }, - { - "queryName": "OSS Bucket Allows List Action From All Principals", - "severity": "HIGH", - "line": 5, - "fileName": "positive2.tf" - } + { + "queryName": "OSS Bucket Allows List Action From All Principals", + "severity": "HIGH", + "line": 5, + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-1-policy", + "searchKey": "alicloud_oss_bucket[bucket-policy1].policy", + "searchValue": "", + "expectedValue": "alicloud_oss_bucket[bucket-policy1].policy to not accept list action from all principals", + "actualValue": "alicloud_oss_bucket[bucket-policy1].policy accepts list action from all principals", + "issueType": "IncorrectValue" + }, + { + "queryName": "OSS Bucket Allows List Action From All Principals", + "severity": "HIGH", + "line": 5, + "filename": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-5-policy", + "searchKey": "alicloud_oss_bucket[bucket-policy5].policy", + "searchValue": "", + "expectedValue": "alicloud_oss_bucket[bucket-policy5].policy to not accept list action from all principals", + "actualValue": "alicloud_oss_bucket[bucket-policy5].policy accepts list action from all principals", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json index 2678e6b27c3..c35206b0dab 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "OSS Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-4-policy", + "searchKey": "alicloud_oss_bucket[bucket-policy4].policy", + "searchValue": "", + "expectedValue": "alicloud_oss_bucket[bucket-policy4].policy to not accept put action from all principals", + "actualValue": "alicloud_oss_bucket[bucket-policy4].policy accepts put action from all principals", + "issueType": "IncorrectValue" }, { "queryName": "OSS Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 5, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-5-policy", + "searchKey": "alicloud_oss_bucket[bucket-policy5].policy", + "searchValue": "", + "expectedValue": "alicloud_oss_bucket[bucket-policy5].policy to not accept put action from all principals", + "actualValue": "alicloud_oss_bucket[bucket-policy5].policy accepts put action from all principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/test/positive_expected_result.json index 459adb57314..7e586598530 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "OSS Bucket Encryption Using CMK Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-sserule", + "searchKey": "alicloud_oss_bucket[bucket_cmk_encryption2].server_side_encryption_rule", + "searchValue": "", + "expectedValue": "[bucket_cmk_encryption2].policy has kms master key id defined", + "actualValue": "[bucket_cmk_encryption2].policy does not kms master key id defined", + "issueType": "MissingAttribute" }, { "queryName": "OSS Bucket Encryption Using CMK Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-sserule", + "searchKey": "alicloud_oss_bucket[bucket_cmk_encryption3]", + "searchValue": "", + "expectedValue": "[bucket_cmk_encryption3].policy has server side encryption rule and kms master key id defined", + "actualValue": "[bucket_cmk_encryption3].policy does not have server side encryption rule and kms master key id defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/alicloud/oss_bucket_has_static_website/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_has_static_website/test/positive_expected_result.json index 53fa9eee657..7842248e234 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_has_static_website/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_has_static_website/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "OSS Bucket Has Static Website", - "severity": "HIGH", - "line": 4, - "fileName": "positive1.tf" - } + { + "queryName": "OSS Bucket Has Static Website", + "severity": "HIGH", + "line": 4, + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-1-website", + "searchKey": "alicloud_oss_bucket[bucket-website1].website", + "searchValue": "", + "expectedValue": "'website' to not be used.", + "actualValue": "'website' is being used.", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/test/positive_expected_result.json index 4c7b05e217f..b66b83be97d 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "OSS Bucket Ip Restriction Disabled", "severity": "HIGH", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-policy", + "searchKey": "alicloud_oss_bucket[bucket-policy].policy", + "searchValue": "", + "expectedValue": "[bucket-policy].policy has restricted ip access", + "actualValue": "[bucket-policy].policy does not restrict access via ip", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/test/positive_expected_result.json index d6955f3438d..0bb46ff390b 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/test/positive_expected_result.json @@ -1,15 +1,28 @@ [ - { - "queryName": "OSS Bucket Lifecycle Rule Disabled", - "severity": "LOW", - "line": 8, - "fileName": "positive1.tf" - }, - { - "queryName": "OSS Bucket Lifecycle Rule Disabled", - "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" - } - ] - \ No newline at end of file + { + "queryName": "OSS Bucket Lifecycle Rule Disabled", + "severity": "LOW", + "line": 8, + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "oss_bucket_lifecycle_enabled2", + "searchKey": "alicloud_oss_bucket[oss_bucket_lifecycle_enabled2].lifecycle_rule.enabled", + "searchValue": "", + "expectedValue": "'lifecycle_rule' should be set and enabled", + "actualValue": "'lifecycle_rule' is set but disabled", + "issueType": "IncorrectValue" + }, + { + "queryName": "OSS Bucket Lifecycle Rule Disabled", + "severity": "LOW", + "line": 1, + "filename": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-versioning", + "searchKey": "alicloud_oss_bucket[oss_bucket_lifecycle_enabled3]", + "searchValue": "", + "expectedValue": "'lifecycle_rule' should be set and enabled", + "actualValue": "'lifecycle_rule' is not set", + "issueType": "MissingAttribute" + } +] diff --git a/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/test/positive_expected_result.json index ccde2242e31..382b1920e19 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "OSS Bucket Logging Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-acl", + "searchKey": "alicloud_oss_bucket[bucket_logging2]", + "searchValue": "", + "expectedValue": "bucket_logging2 has logging enabled", + "actualValue": "bucket_logging2 does not have logging enabled", + "issueType": "IncorrectValue" }, { "queryName": "OSS Bucket Logging Disabled", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-logging", + "searchKey": "alicloud_oss_bucket[bucket_logging1].logging_isenable", + "searchValue": "", + "expectedValue": "bucket_logging1 'logging_isenable' argument should be set to true", + "actualValue": "bucket_logging1 'logging_isenable' argument is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/positive_expected_result.json index 8c58dcc7975..051948f755a 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "OSS Bucket Public Access Enabled", "severity": "HIGH", "line": 3, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-acl", + "searchKey": "alicloud_oss_bucket[bucket_public_access_enabled2].acl", + "searchValue": "", + "expectedValue": "'acl' should be set to private or not set", + "actualValue": "'acl' is public-read", + "issueType": "IncorrectValue" }, { "queryName": "OSS Bucket Public Access Enabled", "severity": "HIGH", "line": 3, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-acl", + "searchKey": "alicloud_oss_bucket[bucket_public_access_enabled3].acl", + "searchValue": "", + "expectedValue": "'acl' should be set to private or not set", + "actualValue": "'acl' is public-read-write", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/test/positive_expected_result.json index 0c791280fca..cb8446f47fc 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "OSS Bucket Transfer Acceleration Disabled", "severity": "LOW", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket_name", + "searchKey": "alicloud_oss_bucket[bucket-accelerate].transfer_acceleration.enabled", + "searchValue": "", + "expectedValue": "'transfer_acceleration.enabled' should be defined and set to true", + "actualValue": "'transfer_acceleration.enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "OSS Bucket Transfer Acceleration Disabled", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket_name", + "searchKey": "alicloud_oss_bucket[bucket-accelerate2]", + "searchValue": "", + "expectedValue": "'transfer_acceleration.enabled' should be defined and set to true", + "actualValue": "'transfer_acceleration' is missing", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/test/positive_expected_result.json index 23c3f111df9..e1604c633ca 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "OSS Bucket Versioning Disabled", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive1.tf" - }, - { - "queryName": "OSS Bucket Versioning Disabled", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" - } - ] + { + "queryName": "OSS Bucket Versioning Disabled", + "severity": "MEDIUM", + "line": 6, + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-versioning", + "searchKey": "alicloud_oss_bucket[bucket-versioning2].versioning.status", + "searchValue": "", + "expectedValue": "'versioning.status' should be enabled", + "actualValue": "'versioning.status' is suspended", + "issueType": "IncorrectValue" + }, + { + "queryName": "OSS Bucket Versioning Disabled", + "severity": "MEDIUM", + "line": 1, + "filename": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-versioning", + "searchKey": "alicloud_oss_bucket[bucket-versioning3]", + "searchValue": "", + "expectedValue": "'versioning.status' should be defined and set to enabled", + "actualValue": "'versioning' is missing", + "issueType": "MissingAttribute" + } +] diff --git a/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/test/positive_expected_result.json index abd80438ad1..d07ba0e829d 100644 --- a/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "OSS Buckets Secure Transport Disabled", "severity": "MEDIUM", "line": 2, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-securetransport1", + "searchKey": "alicloud_oss_bucket[bucket-securetransport1].policy", + "searchValue": "", + "expectedValue": "bucket-securetransport1[%!s(MISSING)].policy should not accept HTTP Requests", + "actualValue": "bucket-securetransport1[%!s(MISSING)].policy accepts HTTP Requests", + "issueType": "IncorrectValue" }, { "queryName": "OSS Buckets Secure Transport Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-policy", + "searchKey": "alicloud_oss_bucket[bucket-securetransport3].policy", + "searchValue": "", + "expectedValue": "bucket-securetransport3[%!s(MISSING)].policy should not accept HTTP Requests", + "actualValue": "bucket-securetransport3[%!s(MISSING)].policy accepts HTTP Requests", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/test/positive_expected_result.json b/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/test/positive_expected_result.json index d98699c04c7..fbea86c0a80 100644 --- a/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/test/positive_expected_result.json @@ -1,20 +1,41 @@ [ - { - "queryName": "Public Security Group Rule All Ports or Protocols", - "severity": "HIGH", - "line": 13, - "fileName": "positive1.tf" - }, - { - "queryName": "Public Security Group Rule All Ports or Protocols", - "severity": "HIGH", - "line": 13, - "fileName": "positive2.tf" - }, - { - "queryName": "Public Security Group Rule All Ports or Protocols", - "severity": "HIGH", - "line": 13, - "fileName": "positive3.tf" - } + { + "queryName": "Public Security Group Rule All Ports or Protocols", + "severity": "HIGH", + "line": 13, + "filename": "positive1.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].cidr_ip", + "searchValue": "", + "expectedValue": "cidr_ip should not be '0.0.0.0/0' when ip_protocol is equal to all", + "actualValue": "cidr_ip is '0.0.0.0/0' when ip_protocol is equal to all", + "issueType": "IncorrectValue" + }, + { + "queryName": "Public Security Group Rule All Ports or Protocols", + "severity": "HIGH", + "line": 13, + "filename": "positive2.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].cidr_ip", + "searchValue": "", + "expectedValue": "cidr_ip should not be '0.0.0.0/0' for the specified protocol", + "actualValue": "cidr_ip '0.0.0.0/0' exposes all ports for the gre protocol", + "issueType": "IncorrectValue" + }, + { + "queryName": "Public Security Group Rule All Ports or Protocols", + "severity": "HIGH", + "line": 13, + "filename": "positive3.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].cidr_ip", + "searchValue": "", + "expectedValue": "cidr_ip should not be '0.0.0.0/0' for the specified protocol", + "actualValue": "cidr_ip '0.0.0.0/0' exposes all ports for the tcp protocol", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/test/positive_expected_result.json b/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/test/positive_expected_result.json index 8cd21f4cb92..d54f48947d1 100644 --- a/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/test/positive_expected_result.json @@ -1,20 +1,41 @@ [ - { - "queryName": "Public Security Group Rule Sensitive Port", - "severity": "HIGH", - "line": 10, - "fileName": "positive1.tf" - }, - { - "queryName": "Public Security Group Rule Sensitive Port", - "severity": "HIGH", - "line": 10, - "fileName": "positive2.tf" - }, - { - "queryName": "Public Security Group Rule Sensitive Port", - "severity": "HIGH", - "line": 10, - "fileName": "positive3.tf" - } + { + "queryName": "Public Security Group Rule Sensitive Port", + "severity": "HIGH", + "line": 10, + "filename": "positive1.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].port_range", + "searchValue": "20", + "expectedValue": "tcp:20 port should not be allowed", + "actualValue": "tcp:20 port is allowed", + "issueType": "IncorrectValue" + }, + { + "queryName": "Public Security Group Rule Sensitive Port", + "severity": "HIGH", + "line": 10, + "filename": "positive2.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].port_range", + "searchValue": "4333", + "expectedValue": "udp:4333 port should not be allowed", + "actualValue": "udp:4333 port is allowed", + "issueType": "IncorrectValue" + }, + { + "queryName": "Public Security Group Rule Sensitive Port", + "severity": "HIGH", + "line": 10, + "filename": "positive3.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].port_range", + "searchValue": "445", + "expectedValue": "all:445 port should not be allowed", + "actualValue": "all:445 port is allowed", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/test/positive_expected_result.json b/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/test/positive_expected_result.json index 80a2c2a200c..01e657a0dde 100644 --- a/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Public Security Group Rule Unknown Port", "severity": "HIGH", "line": 10, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].port_range", + "searchValue": "", + "expectedValue": "port_range should not contain unknown ports and should not be exposed to the entire Internet", + "actualValue": "port_range contains unknown ports and are exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Public Security Group Rule Unknown Port", "severity": "HIGH", "line": 10, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].port_range", + "searchValue": "", + "expectedValue": "port_range should not contain ports unknown and should not be exposed to the entire Internet", + "actualValue": "port_range contains ports unknown and are exposed to the entire Internet", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/test/positive_expected_result.json index d14c93ba305..b925a169dec 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Ram Account Password Policy Max Login Attempts Unrecommended", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].max_login_attempts", + "searchValue": "", + "expectedValue": "'max_login_attempts' should be set to 5 or less", + "actualValue": "'max_login_attempts' is above than 5", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/test/positive_expected_result.json index cfc7756ec85..c516558dbae 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/test/positive_expected_result.json @@ -1,20 +1,41 @@ [ - { - "queryName": "Ram Account Password Policy Max Password Age Unrecommended", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Ram Account Password Policy Max Password Age Unrecommended", - "severity": "MEDIUM", - "line": 8, - "fileName": "positive2.tf" - }, - { - "queryName": "Ram Account Password Policy Max Password Age Unrecommended", - "severity": "MEDIUM", - "line": 8, - "fileName": "positive3.tf" - } - ] + { + "queryName": "Ram Account Password Policy Max Password Age Unrecommended", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate]", + "searchValue": "", + "expectedValue": "'max_password_age' should be higher than 0 and lower than 91", + "actualValue": "'max_password_age' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Ram Account Password Policy Max Password Age Unrecommended", + "severity": "MEDIUM", + "line": 8, + "filename": "positive2.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].max_password_age", + "searchValue": "", + "expectedValue": "'max_password_age' should be higher than 0 and lower than 91", + "actualValue": "'max_password_age' is higher than 90", + "issueType": "IncorrectValue" + }, + { + "queryName": "Ram Account Password Policy Max Password Age Unrecommended", + "severity": "MEDIUM", + "line": 8, + "filename": "positive3.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].max_password_age", + "searchValue": "", + "expectedValue": "'max_password_age' should be higher than 0 and lower than 91", + "actualValue": "'max_password_age' is equal to 0", + "issueType": "IncorrectValue" + } +] diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/test/positive_expected_result.json index 8c9c0f8181b..d797f792b53 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Ram Account Password Policy Not Required Minimum Length", "severity": "LOW", "line": 2, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].minimum_password_length", + "searchValue": "", + "expectedValue": "'minimum_password_length' should be defined and set to 14 or above", + "actualValue": "'minimum_password_length' is lower than 14", + "issueType": "IncorrectValue" }, { "queryName": "Ram Account Password Policy Not Required Minimum Length", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate]", + "searchValue": "", + "expectedValue": "'minimum_password_length' should be defined and set to 14 or above ", + "actualValue": "'minimum_password_length' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/test/positive_expected_result.json index de07152d6ee..c4fce56d8e7 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Ram Account Password Policy Not Required Numbers", "severity": "LOW", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].require_numbers", + "searchValue": "", + "expectedValue": "'require_numbers' should be defined and set to true", + "actualValue": "'require_numbers' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/test/positive_expected_result.json index 46255c5cc41..e0f8e40441d 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "RAM Account Password Policy Not Required Symbols", "severity": "LOW", "line": 6, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate2", + "searchKey": "resource.alicloud_ram_account_password_policy[corporate2].require_symbols", + "searchValue": "", + "expectedValue": "resource.alicloud_ram_account_password_policy[corporate2].require_symbols should be set to 'true'", + "actualValue": "resource.alicloud_ram_account_password_policy[corporate2].require_symbols is configured as 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/test/positive_expected_result.json index fe5728ac173..41034ea347c 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "RAM Account Password Policy without Reuse Prevention", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate]", + "searchValue": "", + "expectedValue": "'password_reuse_prevention' should be defined and equal or lower than 24", + "actualValue": "'password_reuse_prevention' is not defined", + "issueType": "MissingAttribute" }, { - "queryName": "RAM Account Password Policy without Reuse Prevention", - "severity": "MEDIUM", - "line": 9, - "fileName": "positive2.tf" - } + "queryName": "RAM Account Password Policy without Reuse Prevention", + "severity": "MEDIUM", + "line": 9, + "filename": "positive2.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].password_reuse_prevention", + "searchValue": "", + "expectedValue": "'password_reuse_prevention' should be equal or less 24", + "actualValue": "'password_reuse_prevention' is higher than 24", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/test/positive_expected_result.json index 6ff9fbdede7..357bc6b0a30 100644 --- a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Ram Account Password Policy Not Require At Least one Lowercase Character", "severity": "LOW", "line": 3, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].require_lowercase_characters", + "searchValue": "", + "expectedValue": "'require_lowercase_characters' should be defined and set to true", + "actualValue": "'require_lowercase_characters' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/test/positive_expected_result.json index c1582b50b4a..4c67caf2a89 100644 --- a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "RAM Account Password Policy Not Require at Least one Uppercase Character", "severity": "LOW", "line": 4, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].require_uppercase_characters", + "searchValue": "", + "expectedValue": "'require_uppercase_characters' should be defined and set to true", + "actualValue": "'require_uppercase_characters' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/test/positive_expected_result.json index 497637249cc..3f1fe5c8a09 100644 --- a/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Ram Policy Admin Access Not Attached to Users Groups Roles", "severity": "MEDIUM", "line": 35, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_ram_user_policy_attachment", + "resourceName": "attach", + "searchKey": "alicloud_ram_user_policy_attachment[attach].policy_name", + "searchValue": "", + "expectedValue": "alicloud_ram_policy[policy4] should not give admin access to any user, group or role", + "actualValue": "alicloud_ram_policy[policy4] is attached to a user, group or role and gives admin access", + "issueType": "IncorrectValue" }, { "queryName": "Ram Policy Admin Access Not Attached to Users Groups Roles", "severity": "MEDIUM", "line": 32, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_ram_group_policy_attachment", + "resourceName": "attach", + "searchKey": "alicloud_ram_group_policy_attachment[attach].policy_name", + "searchValue": "", + "expectedValue": "alicloud_ram_policy[policy5] should not give admin access to any user, group or role", + "actualValue": "alicloud_ram_policy[policy5] is attached to a user, group or role and gives admin access", + "issueType": "IncorrectValue" }, { "queryName": "Ram Policy Admin Access Not Attached to Users Groups Roles", "severity": "MEDIUM", "line": 49, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "alicloud_ram_role_policy_attachment", + "resourceName": "attach", + "searchKey": "alicloud_ram_role_policy_attachment[attach].policy_name", + "searchValue": "", + "expectedValue": "alicloud_ram_policy[policy6] should not give admin access to any user, group or role", + "actualValue": "alicloud_ram_policy[policy6] is attached to a user, group or role and gives admin access", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_policy_attached_to_user/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_policy_attached_to_user/test/positive_expected_result.json index 3404fe656f2..de4bad59878 100644 --- a/assets/queries/terraform/alicloud/ram_policy_attached_to_user/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_policy_attached_to_user/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Ram Policy Attached to User", "severity": "MEDIUM", "line": 35, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_ram_user_policy_attachment", + "resourceName": "attach", + "searchKey": "alicloud_ram_user_policy_attachment[attach]", + "searchValue": "", + "expectedValue": "alicloud_ram_user_policy_attachment[attach] should be undefined", + "actualValue": "alicloud_ram_user_policy_attachment[attach] is defined", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/test/positive_expected_result.json index 7215cbff00d..c20997f13f1 100644 --- a/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "RAM Security Preference Not Enforce MFA Login", "severity": "LOW", "line": 11, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_ram_security_preference", + "resourceName": "example1", + "searchKey": "alicloud_ram_security_preference[example1]", + "searchValue": "", + "expectedValue": "'enforce_mfa_for_login' should be defined and set to true", + "actualValue": "'enforce_mfa_for_login' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "RAM Security Preference Not Enforce MFA Login", "severity": "LOW", "line": 14, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_ram_security_preference", + "resourceName": "example2", + "searchKey": "alicloud_ram_security_preference[example2]", + "searchValue": "", + "expectedValue": "'enforce_mfa_for_login' should be set to true", + "actualValue": "'enforce_mfa_for_login' is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json index 32a9bcec0b0..6545ecb4847 100644 --- a/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 10, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "example", + "searchKey": "alicloud_db_instance[example].address", + "searchValue": "", + "expectedValue": "'address' should not be set to '0.0.0.0/0'", + "actualValue": "'address' is set to '0.0.0.0/0'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_events_not_logged/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_events_not_logged/test/positive_expected_result.json index d06825af75c..f51b894acc0 100644 --- a/assets/queries/terraform/alicloud/rds_instance_events_not_logged/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_events_not_logged/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "RDS Instance Events Not Logged", "severity": "MEDIUM", "line": 15, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_log_audit", + "resourceName": "tf-audit-test", + "searchKey": "alicloud_log_audit[example].variable_map.rds_enabled", + "searchValue": "", + "expectedValue": "'rds_enabled' parameter value should be 'true'", + "actualValue": "'rds_enabled' parameter value is 'false'", + "issueType": "IncorrectValue" }, { "queryName": "RDS Instance Events Not Logged", "severity": "MEDIUM", "line": 4, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_log_audit", + "resourceName": "tf-audit-test", + "searchKey": "alicloud_log_audit[example].variable_map", + "searchValue": "", + "expectedValue": "'rds_enabled' parameter value should be 'true'", + "actualValue": "'rds_enabled' parameter is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json index ba86d6a30eb..28ccca5025b 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "RDS Instance Log Connections Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].parameters", + "searchValue": "", + "expectedValue": "'log_connections' parameter should be defined and value should be 'ON'", + "actualValue": "'log_connections' parameter is not defined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Instance Log Connections Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].parameters[2].value", + "searchValue": "", + "expectedValue": "'log_connections' parameter value should be 'ON'", + "actualValue": "'log_connections' parameter value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "RDS Instance Log Connections Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "", + "expectedValue": "'log_connections' parameter should be defined and value should be 'ON' in parameters array", + "actualValue": "'log_connections' parameter is not defined in parameters array", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/test/positive_expected_result.json index f75edb57cb9..704367e7f76 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "RDS Instance Log Disconnections Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].parameters[2].value", + "searchValue": "", + "expectedValue": "'log_disconnections' parameter value should be 'ON'", + "actualValue": "'log_disconnections' parameter value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "RDS Instance Log Disconnections Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].parameters", + "searchValue": "", + "expectedValue": "'log_disconnections' parameter should be defined and value should be 'ON'", + "actualValue": "'log_disconnections' parameter is not defined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Instance Log Disconnections Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]]", + "searchValue": "", + "expectedValue": "'log_disconnections' parameter should be defined and value should be 'ON' in parametes array", + "actualValue": "'log_disconnections' parameter is not defined in parametes array", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json index fbf1412ab90..6209e60c7e8 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "RDS Instance Log Duration Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].parameters[2].value", + "searchValue": "", + "expectedValue": "'log_duration' parameter value should be 'ON'", + "actualValue": "'log_duration' parameter value is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "RDS Instance Log Duration Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].parameters", + "searchValue": "", + "expectedValue": "'log_duration' parameter should be defined and value should be 'ON'", + "actualValue": "'log_duration' parameter is not defined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Instance Log Duration Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]]", + "searchValue": "", + "expectedValue": "'log_duration' parameter should be defined and value should be 'ON' in parameters array", + "actualValue": "'log_duration' parameter is not defined in parameters array", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/test/positive_expected_result.json index 2fa2c88c80a..a9148e1ea19 100644 --- a/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].security_ips[0]", + "searchValue": "", + "expectedValue": "'0.0.0.0' should not be in 'security_ips' list", + "actualValue": "'0.0.0.0' is in 'security_ips' list", + "issueType": "IncorrectValue" }, { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].security_ips[0]", + "searchValue": "", + "expectedValue": "'0.0.0.0/0' should not be in 'security_ips' list", + "actualValue": "'0.0.0.0/0' is in 'security_ips' list", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json index 516ef3469b8..2fb13dc74d4 100644 --- a/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "sql_collector_status", + "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", + "actualValue": "'sql_collector_status' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "sql_collector_config_value", + "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", + "actualValue": "'sql_collector_config_value' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "sql_collector_config_value", + "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", + "actualValue": "'sql_collector_config_value' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", "line": 6, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].sql_collector_status", + "searchValue": "", + "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", + "actualValue": "'sql_collector_status' is set to 'Disabled'", + "issueType": "IncorrectValue" }, { "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "sql_collector_config_value", + "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", + "actualValue": "'sql_collector_config_value' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", "line": 7, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].sql_collector_config_value", + "searchValue": "", + "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", + "actualValue": "'sql_collector_config_value' is set to 30", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/test/positive_expected_result.json index 884e34ebed6..8330599b7f2 100644 --- a/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "RDS Instance SSL Action Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].ssl_action", + "searchValue": "", + "expectedValue": "'ssl_action' value should be 'Open'", + "actualValue": "'ssl_action' value is 'Close'", + "issueType": "IncorrectValue" }, { "queryName": "RDS Instance SSL Action Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "", + "expectedValue": "'ssl_action' value should be 'Open'", + "actualValue": "'ssl_action' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/test/positive_expected_result.json index f9aac5a2630..8438af6f17f 100644 --- a/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "RDS Instance TDE Status Disabled", "severity": "HIGH", "line": 6, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].tde_status", + "searchValue": "", + "expectedValue": "'tde_status' value should be 'Enabled'", + "actualValue": "'tde_status' value is set to 'Disabled'", + "issueType": "IncorrectValue" }, { "queryName": "RDS Instance TDE Status Disabled", "severity": "HIGH", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "", + "expectedValue": "'tde_status' value should be 'Enabled'", + "actualValue": "'tde_status' is not declared", + "issueType": "MissingAttribute" }, { "queryName": "RDS Instance TDE Status Disabled", "severity": "HIGH", "line": 6, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].tde_status", + "searchValue": "", + "expectedValue": "'tde_status' value should be 'Enabled'", + "actualValue": "'tde_status' value is set to 'Disabled'", + "issueType": "IncorrectValue" }, { "queryName": "RDS Instance TDE Status Disabled", "severity": "HIGH", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "", + "expectedValue": "'tde_status' value should be 'Enabled'", + "actualValue": "'tde_status' is not declared", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/test/positive_expected_result.json index 8d96395e757..244d3c2667a 100644 --- a/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "ROS Stack Notifications Disabled", "severity": "LOW", "line": 3, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "alicloud_ros_stack", + "resourceName": "tf-testaccstack", + "searchKey": "alicloud_ros_stack[example]", + "searchValue": "", + "expectedValue": "stack 'notification_urls' should have urls", + "actualValue": "stack 'notification_urls' is empty", + "issueType": "IncorrectValue" }, { "queryName": "ROS Stack Notifications Disabled", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_ros_stack", + "resourceName": "tf-testaccstack", + "searchKey": "alicloud_ros_stack[example]", + "searchValue": "", + "expectedValue": "stack 'notification_urls' should be defined", + "actualValue": "stack 'notification_urls' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ros_stack_retention_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ros_stack_retention_disabled/test/positive_expected_result.json index b347e2dd2b1..6042fc5c135 100644 --- a/assets/queries/terraform/alicloud/ros_stack_retention_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ros_stack_retention_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "ROS Stack Retention Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "alicloud_ros_stack_instance", + "resourceName": "example", + "searchKey": "alicloud_ros_stack_instance[example].retain_stacks", + "searchValue": "", + "expectedValue": "alicloud_ros_stack_instance[example].retain_stacks should be true ", + "actualValue": "alicloud_ros_stack_instance[example].retain_stacks is false", + "issueType": "IncorrectValue" }, { "queryName": "ROS Stack Retention Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "alicloud_ros_stack_instance", + "resourceName": "example", + "searchKey": "alicloud_ros_stack_instance[example]", + "searchValue": "", + "expectedValue": "alicloud_ros_stack_instance[example].retain_stacks should be defined and not null", + "actualValue": "alicloud_ros_stack_instance[example].retain_stacks is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/alicloud/ros_stack_without_template/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ros_stack_without_template/test/positive_expected_result.json index d53d3d5cbf8..23ea89e77b8 100644 --- a/assets/queries/terraform/alicloud/ros_stack_without_template/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ros_stack_without_template/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "ROS Stack Without Template", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - } - ] + { + "queryName": "ROS Stack Without Template", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.tf", + "resourceType": "alicloud_ros_stack", + "resourceName": "tf-testaccstack", + "searchKey": "alicloud_ros_stack[example]", + "searchValue": "", + "expectedValue": "Attribute 'template_body' or Attribute 'template_url' should be set.", + "actualValue": "Both Attribute 'template_body' and Attribute 'template_url' are undefined.", + "issueType": "MissingAttribute" + } +] diff --git a/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/test/positive_expected_result.json b/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/test/positive_expected_result.json index 0787eeaa125..07175950c76 100644 --- a/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "SLB Policy With Insecure TLS Version In Use", "severity": "MEDIUM", "line": 3, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "alicloud_slb_tls_cipher_policy", + "resourceName": "positive", + "searchKey": "alicloud_slb_tls_cipher_policy[positive].tls_versions", + "searchValue": "", + "expectedValue": "alicloud_slb_tls_cipher_policy[positive].tls_versions to use secure TLS versions", + "actualValue": "alicloud_slb_tls_cipher_policy[positive].tls_versions uses insecure TLS versions", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/test/positive_expected_result.json index 42b4e6f8dec..2fdab292efa 100644 --- a/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "VPC Flow Logs Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "alicloud_vpc", + "resourceName": "main", + "searchKey": "alicloud_vpc[main]", + "searchValue": "", + "expectedValue": "alicloud_vpc[main] is associated with an 'alicloud_vpc_flow_log'", + "actualValue": "alicloud_vpc[main] is not associated with an 'alicloud_vpc_flow_log'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/alb_deletion_protection_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/alb_deletion_protection_disabled/test/positive_expected_result.json index e663004ce62..d5479d64bec 100644 --- a/assets/queries/terraform/aws/alb_deletion_protection_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/alb_deletion_protection_disabled/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "ALB Deletion Protection Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_alb", + "resourceName": "test-lb-tf", + "searchKey": "aws_alb[positive1].enable_deletion_protection", + "searchValue": "", + "expectedValue": "'enable_deletion_protection' should be set to true", + "actualValue": "'enable_deletion_protection' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "ALB Deletion Protection Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_alb", + "resourceName": "test-lb-tf", + "searchKey": "aws_alb[positive2]", + "searchValue": "", + "expectedValue": "'enable_deletion_protection' should be defined and set to true", + "actualValue": "'enable_deletion_protection' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ALB Deletion Protection Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_lb", + "resourceName": "test-lb-tf", + "searchKey": "aws_lb[positive3].enable_deletion_protection", + "searchValue": "", + "expectedValue": "'enable_deletion_protection' should be set to true", + "actualValue": "'enable_deletion_protection' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "ALB Deletion Protection Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_lb", + "resourceName": "test-lb-tf", + "searchKey": "aws_lb[positive4]", + "searchValue": "", + "expectedValue": "'enable_deletion_protection' should be defined and set to true", + "actualValue": "'enable_deletion_protection' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ALB Deletion Protection Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[alb].enable_deletion_protection", + "searchValue": "", + "expectedValue": "'enable_deletion_protection' should be set to true", + "actualValue": "'enable_deletion_protection' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "ALB Deletion Protection Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[alb]", + "searchValue": "", + "expectedValue": "'enable_deletion_protection' should be defined and set to true", + "actualValue": "'enable_deletion_protection' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json index 412dc085a1f..445482f1cb3 100644 --- a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "ALB Is Not Integrated With WAF", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_alb", + "resourceName": "foo", + "searchKey": "aws_alb[foo]", + "searchValue": "", + "expectedValue": "'aws_alb[foo]' should not be 'internal' and has a 'aws_wafregional_web_acl_association' associated", + "actualValue": "'aws_alb[foo]' is not 'internal' and does not have a 'aws_wafregional_web_acl_association' associated", + "issueType": "MissingAttribute" }, { "queryName": "ALB Is Not Integrated With WAF", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_lb", + "resourceName": "test-lb-tf", + "searchKey": "aws_lb[alb]", + "searchValue": "", + "expectedValue": "'aws_lb[alb]' should not be 'internal' and has a 'aws_wafregional_web_acl_association' associated", + "actualValue": "'aws_lb[alb]' is not 'internal' and does not have a 'aws_wafregional_web_acl_association' associated", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/alb_listening_on_http/test/positive_expected_result.json b/assets/queries/terraform/aws/alb_listening_on_http/test/positive_expected_result.json index 8a0e258e845..76b950f3a36 100644 --- a/assets/queries/terraform/aws/alb_listening_on_http/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/alb_listening_on_http/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_lb_listener", + "resourceName": "listener5", + "searchKey": "aws_lb_listener[listener5].default_action.redirect.protocol", + "searchValue": "", + "expectedValue": "'default_action.redirect.protocol' should be equal to 'HTTPS'", + "actualValue": "'default_action.redirect.protocol' is equal 'HTTP'", + "issueType": "IncorrectValue" }, { "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", "line": 70, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_lb_listener", + "resourceName": "listener", + "searchKey": "aws_lb_listener[listener].default_action", + "searchValue": "", + "expectedValue": "'default_action.redirect.protocol' should be equal to 'HTTPS'", + "actualValue": "'default_action.redirect' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/test/positive_expected_result.json b/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/test/positive_expected_result.json index 1f97c90fd36..403e81699a1 100644 --- a/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/test/positive_expected_result.json @@ -3,54 +3,117 @@ "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_alb", + "resourceName": "alb", + "searchKey": "aws_alb[{{disabled_1}}]", + "searchValue": "", + "expectedValue": "aws_alb[{{disabled_1}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_alb[{{disabled_1}}].drop_invalid_header_fields is missing", + "issueType": "MissingAttribute" }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 14, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_alb", + "resourceName": "alb", + "searchKey": "aws_alb[{{disabled_2}}].drop_invalid_header_fields", + "searchValue": "", + "expectedValue": "aws_alb[{{disabled_2}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_alb[{{disabled_2}}].drop_invalid_header_fields is set to false", + "issueType": "IncorrectValue" }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_lb", + "resourceName": "alb", + "searchKey": "aws_lb[{{disabled_1}}]", + "searchValue": "", + "expectedValue": "aws_lb[{{disabled_1}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_lb[{{disabled_1}}].drop_invalid_header_fields is missing", + "issueType": "MissingAttribute" }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 14, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_lb", + "resourceName": "alb", + "searchKey": "aws_lb[{{disabled_2}}].drop_invalid_header_fields", + "searchValue": "", + "expectedValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields is set to false", + "issueType": "IncorrectValue" }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 1, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_alb", + "resourceName": "alb", + "searchKey": "aws_alb[{{disabled_1}}]", + "searchValue": "", + "expectedValue": "aws_alb[{{disabled_1}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_alb[{{disabled_1}}].drop_invalid_header_fields is missing", + "issueType": "MissingAttribute" }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 12, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_lb", + "resourceName": "alb", + "searchKey": "aws_lb[{{disabled_2}}].drop_invalid_header_fields", + "searchValue": "", + "expectedValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields is set to false", + "issueType": "IncorrectValue" }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 8, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[alb].drop_invalid_header_fields", + "searchValue": "", + "expectedValue": "module[alb].drop_invalid_header_fields should be set to true", + "actualValue": "module[alb].drop_invalid_header_fields is set to false", + "issueType": "IncorrectValue" }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 1, - "filename": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[alb]", + "searchValue": "", + "expectedValue": "module[alb].drop_invalid_header_fields should be set to true", + "actualValue": "module[alb].drop_invalid_header_fields is missing", + "issueType": "MissingAttribute" }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 1, - "filename": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[alb]", + "searchValue": "", + "expectedValue": "module[alb].drop_invalid_header_fields should be set to true", + "actualValue": "module[alb].drop_invalid_header_fields is missing", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json index 2497e484f40..5c9ae06a034 100644 --- a/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", "severity": "CRITICAL", "line": 10, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_dms_replication_instance", + "resourceName": "test", + "searchKey": "aws_dms_replication_instance[test].publicly_accessible", + "searchValue": "", + "expectedValue": "aws_dms_replication_instance[test].publicly_accessible should be set to false", + "actualValue": "aws_dms_replication_instance[test].publicly_accessible is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json index f2d96094196..d5aa689f21b 100644 --- a/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "AmazonMQ Broker Encryption Disabled", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_mq_broker", + "resourceName": "example", + "searchKey": "resource.aws_mq_broker[positive1]", + "searchValue": "", + "expectedValue": "resource.aws_mq_broker[positive1].encryption_options should be defined", + "actualValue": "resource.aws_mq_broker[positive1].encryption_options is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ami_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/ami_not_encrypted/test/positive_expected_result.json index c602b4411df..17752f768ce 100644 --- a/assets/queries/terraform/aws/ami_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ami_not_encrypted/test/positive_expected_result.json @@ -2,19 +2,40 @@ { "queryName": "AMI Not Encrypted", "severity": "MEDIUM", - "line": 29, - "fileName": "positive.tf" + "line": 7, + "filename": "positive.tf", + "resourceType": "aws_ami", + "resourceName": "terraform-example", + "searchKey": "aws_ami[positive1].ebs_block_device", + "searchValue": "", + "expectedValue": "One of 'rule.ebs_block_device.encrypted' should be 'true'", + "actualValue": "'rule.ebs_block_device' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AMI Not Encrypted", "severity": "MEDIUM", "line": 25, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_ami", + "resourceName": "terraform-example", + "searchKey": "aws_ami[positive2].ebs_block_device.encrypted", + "searchValue": "", + "expectedValue": "One of 'rule.ebs_block_device.encrypted' should be 'true'", + "actualValue": "One of 'rule.ebs_block_device.encrypted' is not 'true'", + "issueType": "IncorrectValue" }, { "queryName": "AMI Not Encrypted", "severity": "MEDIUM", - "line": 7, - "fileName": "positive.tf" + "line": 29, + "filename": "positive.tf", + "resourceType": "aws_ami", + "resourceName": "terraform-example", + "searchKey": "aws_ami[positive3]", + "searchValue": "", + "expectedValue": "One of 'rule.ebs_block_device.encrypted' should be 'true'", + "actualValue": "One of 'rule.ebs_block_device' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json b/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json index e24986c08b3..7570b8c27fb 100644 --- a/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "AMI Shared With Multiple Accounts", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.tf", + "resourceType": "aws_ami_launch_permission", + "resourceName": "positive1", + "searchKey": "aws_ami_launch_permission[positive1].image_id", + "searchValue": "", + "expectedValue": "'aws_ami_launch_permission[positive1].image_id' should not be shared with multiple accounts", + "actualValue": "'aws_ami_launch_permission[positive1].image_id' is shared with multiple accounts", + "issueType": "IncorrectValue" }, { "queryName": "AMI Shared With Multiple Accounts", "severity": "MEDIUM", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "aws_ami_launch_permission", + "resourceName": "positive2", + "searchKey": "aws_ami_launch_permission[positive2].image_id", + "searchValue": "", + "expectedValue": "'aws_ami_launch_permission[positive2].image_id' should not be shared with multiple accounts", + "actualValue": "'aws_ami_launch_permission[positive2].image_id' is shared with multiple accounts", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json index 1e3d8fd2c04..47cf2e026d5 100644 --- a/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json @@ -3,78 +3,169 @@ "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive10", + "searchKey": "aws_api_gateway_stage[positive10]", + "searchValue": "access_log_settings", + "expectedValue": "'access_log_settings' should be defined", + "actualValue": "'access_log_settings' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 15, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_apigatewayv2_stage", + "resourceName": "positive11", + "searchKey": "aws_apigatewayv2_stage[positive11]", + "searchValue": "access_log_settings", + "expectedValue": "'access_log_settings' should be defined", + "actualValue": "'access_log_settings' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 15, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive20", + "searchKey": "aws_api_gateway_method_settings[allpositive2].settings.logging_level", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings[allpositive2].settings.logging_level should be defined and not null", + "actualValue": "aws_api_gateway_method_settings[allpositive2].settings.logging_level isn't defined or is null", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 28, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_apigatewayv2_stage", + "resourceName": "positive21", + "searchKey": "aws_apigatewayv2_stage[positive21].default_route_settings.logging_level", + "searchValue": "", + "expectedValue": "aws_apigatewayv2_stage[positive21].default_route_settings.logging_level should be defined and not null", + "actualValue": "aws_apigatewayv2_stage[positive21].default_route_settings.logging_level isn't defined or is null", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 14, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive30", + "searchKey": "aws_api_gateway_method_settings[allpositive3].settings", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings[allpositive3].settings.logging_level should be defined and not null", + "actualValue": "aws_api_gateway_method_settings[allpositive3].settings.logging_level isn't defined or is null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 27, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_apigatewayv2_stage", + "resourceName": "positive31", + "searchKey": "aws_apigatewayv2_stage[positive31].default_route_settings", + "searchValue": "", + "expectedValue": "aws_apigatewayv2_stage[positive31].default_route_settings.logging_level should be defined and not null", + "actualValue": "aws_apigatewayv2_stage[positive31].default_route_settings.logging_level isn't defined or is null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive40", + "searchKey": "aws_api_gateway_method_settings[allpositive4]", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings[allpositive4].settings should be defined and not null", + "actualValue": "aws_api_gateway_method_settings[allpositive4].settings isn't defined or is null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 15, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_apigatewayv2_stage", + "resourceName": "positive41", + "searchKey": "aws_apigatewayv2_stage[positive41]", + "searchValue": "default_route_settings", + "expectedValue": "aws_apigatewayv2_stage[positive41].default_route_settings should be defined and not null", + "actualValue": "aws_apigatewayv2_stage[positive41].default_route_settings isn't defined or is null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 15, - "filename": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive50", + "searchKey": "aws_api_gateway_method_settings[allpositive5].settings.logging_level", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings[allpositive5].settings.logging_level should not be set to OFF", + "actualValue": "aws_api_gateway_method_settings[allpositive5].settings.logging_level is set to OFF", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 28, - "filename": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_apigatewayv2_stage", + "resourceName": "positive51", + "searchKey": "aws_apigatewayv2_stage[positive51].default_route_settings.logging_level", + "searchValue": "", + "expectedValue": "aws_apigatewayv2_stage[positive51].default_route_settings.logging_level should not be set to OFF", + "actualValue": "aws_apigatewayv2_stage[positive51].default_route_settings.logging_level is set to OFF", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 14, - "filename": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive60", + "searchKey": "aws_api_gateway_method_settings[allpositive6].settings", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings[allpositive6].settings.logging_level should be defined and not null", + "actualValue": "aws_api_gateway_method_settings[allpositive6].settings.logging_level isn't defined or is null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 27, - "filename": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "aws_apigatewayv2_stage", + "resourceName": "positive61", + "searchKey": "aws_apigatewayv2_stage[positive61].default_route_settings", + "searchValue": "", + "expectedValue": "aws_apigatewayv2_stage[positive61].default_route_settings.logging_level should be defined and not null", + "actualValue": "aws_apigatewayv2_stage[positive61].default_route_settings.logging_level isn't defined or is null", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive7.tf" + "filename": "positive7.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive70", + "searchKey": "aws_api_gateway_stage[positive70]", + "searchValue": "aws_api_gateway_method_settings", + "expectedValue": "aws_api_gateway_stage[positive70]'s corresponding aws_api_gateway_method_settings should be defined and not null", + "actualValue": "aws_api_gateway_stage[positive70]'s corresponding aws_api_gateway_method_settings isn't defined or is null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json index c77dbf0991b..5c761b5c04d 100644 --- a/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_api_gateway_deployment", + "resourceName": "examplee", + "searchKey": "aws_api_gateway_deployment[examplee]", + "searchValue": "", + "expectedValue": "aws_api_gateway_deployment[examplee] has a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set", + "actualValue": "aws_api_gateway_deployment[examplee] doesn't have a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_api_gateway_deployment", + "resourceName": "example3", + "searchKey": "aws_api_gateway_deployment[example3]", + "searchValue": "", + "expectedValue": "aws_api_gateway_deployment[example3] has a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set", + "actualValue": "aws_api_gateway_deployment[example3] doesn't have a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_api_gateway_deployment", + "resourceName": "example4", + "searchKey": "aws_api_gateway_deployment[example4]", + "searchValue": "", + "expectedValue": "aws_api_gateway_deployment[example4].stage_description should be set", + "actualValue": "aws_api_gateway_deployment[example4].stage_description is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json index c90c5d51934..275f5fbe0d5 100644 --- a/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_api_gateway_deployment", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_deployment[positive1]", + "searchValue": "", + "expectedValue": "aws_api_gateway_deployment[positive1] has a 'aws_api_gateway_usage_plan' resource associated. ", + "actualValue": "aws_api_gateway_deployment[positive1] doesn't have a 'aws_api_gateway_usage_plan' resource associated.", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 9, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_api_gateway_deployment", + "resourceName": "positive2", + "searchKey": "aws_api_gateway_deployment[positive2]", + "searchValue": "", + "expectedValue": "aws_api_gateway_deployment[positive2] has a 'aws_api_gateway_usage_plan' resource associated. ", + "actualValue": "aws_api_gateway_deployment[positive2] doesn't have a 'aws_api_gateway_usage_plan' resource associated.", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 14, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "aws_api_gateway_deployment", + "resourceName": "aws_api_gateway_deployment.positive1", + "searchKey": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive1]", + "searchValue": "", + "expectedValue": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive1] has a 'aws_api_gateway_usage_plan' resource associated. ", + "actualValue": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive1] doesn't have a 'aws_api_gateway_usage_plan' resource associated.", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 31, - "filename": "positive2.json" + "filename": "positive2.json", + "resourceType": "aws_api_gateway_deployment", + "resourceName": "aws_api_gateway_deployment.positive2", + "searchKey": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive2]", + "searchValue": "", + "expectedValue": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive2] has a 'aws_api_gateway_usage_plan' resource associated. ", + "actualValue": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive2] doesn't have a 'aws_api_gateway_usage_plan' resource associated.", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json index 312133f896e..20e69a6639c 100644 --- a/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "API Gateway Endpoint Config is Not Private", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_rest_api", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_rest_api[positive1].endpoint_configuration.types[%!s(int=0)]", + "searchValue": "", + "expectedValue": "'aws_api_gateway_rest_api.aws_api_gateway_rest_api.types' should be 'PRIVATE'.", + "actualValue": "'aws_api_gateway_rest_api.aws_api_gateway_rest_api.types' is not 'PRIVATE'.", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json index 96be3ea7103..4078d1198ac 100644 --- a/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ { - "line": 1, "queryName": "API Gateway Method Does Not Contains An API Key", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_method", + "resourceName": "positive1", + "searchKey": "resource.aws_api_gateway_method[positive1]", + "searchValue": "", + "expectedValue": "resource.aws_api_gateway_method[positive1].api_key_required should be defined", + "actualValue": "resource.aws_api_gateway_method[positive1].api_key_required is undefined", + "issueType": "MissingAttribute" }, { - "line": 13, "queryName": "API Gateway Method Does Not Contains An API Key", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 13, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_method", + "resourceName": "positive2", + "searchKey": "resource.aws_api_gateway_method[positive2].api_key_required", + "searchValue": "", + "expectedValue": "resource.aws_api_gateway_method[positive2].api_key_required should be 'true'", + "actualValue": "resource.aws_api_gateway_method[positive2].api_key_required is 'false'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/test/positive_expected_result.json index e8ac44bb382..36e55a88c5f 100644 --- a/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "API Gateway Method Settings Cache Not Encrypted", "severity": "HIGH", "line": 40, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_api_gateway_method_settings", + "resourceName": "path_specific", + "searchKey": "aws_api_gateway_method_settings[{{path_specific}}].settings.cache_data_encrypted", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings.settings.cache_data_encrypted should be set to true", + "actualValue": "aws_api_gateway_method_settings.settings.cache_data_encrypted is set to false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Method Settings Cache Not Encrypted", "severity": "HIGH", "line": 48, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_api_gateway_method_settings", + "resourceName": "path_specific_2", + "searchKey": "aws_api_gateway_method_settings[{{path_specific_2}}].settings", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings.settings.cache_data_encrypted should be set to true", + "actualValue": "aws_api_gateway_method_settings.settings.cache_data_encrypted is missing", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json index 622bd75d7de..9b5b2d4c3ce 100644 --- a/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_stage[positive1]", + "searchValue": "", + "expectedValue": "aws_api_gateway_stage[positive1] has a 'aws_api_gateway_usage_plan' resource associated. ", + "actualValue": "aws_api_gateway_stage[positive1] doesn't have a 'aws_api_gateway_usage_plan' resource associated.", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 10 + "line": 10, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive2", + "searchKey": "aws_api_gateway_stage[positive2]", + "searchValue": "", + "expectedValue": "aws_api_gateway_stage[positive2] has a 'aws_api_gateway_usage_plan' resource associated. ", + "actualValue": "aws_api_gateway_stage[positive2] doesn't have a 'aws_api_gateway_usage_plan' resource associated.", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json index 4b6ad1bccab..2c6d540ac75 100644 --- a/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "API Gateway With CloudWatch Logging Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_stage[positive1]", + "searchValue": "", + "expectedValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive1]' should be defined and use the correct naming convention", + "actualValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive1]' is undefined or is not using the correct naming convention", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway With CloudWatch Logging Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive2", + "searchKey": "aws_api_gateway_stage[positive2].access_log_settings.destination_arn", + "searchValue": "", + "expectedValue": "'aws_api_gateway_stage[positive2].access_log_settings.destination_arn' should reference a valid 'aws_cloudwatch_log_group' arn", + "actualValue": "'aws_api_gateway_stage[positive2].access_log_settings.destination_arn' does not reference a valid 'aws_cloudwatch_log_group' arn", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway With CloudWatch Logging Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive3", + "searchKey": "aws_api_gateway_stage[positive3].access_log_settings.destination_arn", + "searchValue": "", + "expectedValue": "'aws_api_gateway_stage[positive3].access_log_settings.destination_arn' should reference a valid 'aws_cloudwatch_log_group' arn", + "actualValue": "'aws_api_gateway_stage[positive3].access_log_settings.destination_arn' does not reference a valid 'aws_cloudwatch_log_group' arn", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway With CloudWatch Logging Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive4", + "searchKey": "aws_api_gateway_stage[positive4]", + "searchValue": "", + "expectedValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive4]' should be defined and use the correct naming convention", + "actualValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive4]' is undefined or is not using the correct naming convention", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json index 173ab08fb39..0553915cd39 100644 --- a/assets/queries/terraform/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_rest_api", + "resourceName": "regional-example", + "searchKey": "aws_api_gateway_rest_api[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'minimum_compression_size' should be set and have a value greater than -1 and smaller than 10485760", + "actualValue": "Attribute 'minimum_compression_size' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 17 + "line": 17, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_rest_api", + "resourceName": "regional-example", + "searchKey": "aws_api_gateway_rest_api[positive2].minimum_compression_size", + "searchValue": "", + "expectedValue": "Attribute 'minimum_compression_size' should be greater than -1 and smaller than 10485760", + "actualValue": "Attribute 'minimum_compression_size' is -1", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 28 + "line": 28, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_rest_api", + "resourceName": "regional-example", + "searchKey": "aws_api_gateway_rest_api[positive3].minimum_compression_size", + "searchValue": "", + "expectedValue": "Attribute 'minimum_compression_size' should be greater than -1 and smaller than 10485760", + "actualValue": "Attribute 'minimum_compression_size' is 10485760", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/api_gateway_with_open_access/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_with_open_access/test/positive_expected_result.json index ca54d5a0e5d..2b11f8d9e46 100644 --- a/assets/queries/terraform/aws/api_gateway_with_open_access/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_with_open_access/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "API Gateway With Open Access", "severity": "MEDIUM", - "line": 4 + "line": 4, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_method", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_method[positive1].http_method", + "searchValue": "", + "expectedValue": "aws_api_gateway_method.authorization should only be 'NONE' if http_method is 'OPTIONS'", + "actualValue": "aws_api_gateway_method[positive1].authorization type is 'NONE' and http_method is not ''OPTIONS'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json index 1f2ddd7d112..722af942cb7 100644 --- a/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 8, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_api_gateway_rest_api", + "resourceName": "auth-demo", + "searchKey": "aws_api_gateway_rest_api[demo2]", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/api_gateway_without_security_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_without_security_policy/test/positive_expected_result.json index dabda1db530..0ef51803589 100644 --- a/assets/queries/terraform/aws/api_gateway_without_security_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_without_security_policy/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "API Gateway Without Security Policy", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_api_gateway_domain_name", + "resourceName": "example", + "searchKey": "aws_api_gateway_domain_name[example]", + "searchValue": "", + "expectedValue": "aws_api_gateway_domain_name[example].security_policy should be set", + "actualValue": "aws_api_gateway_domain_name[example].security_policy is undefined", + "issueType": "MissingAttribute" }, { "queryName": "API Gateway Without Security Policy", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_api_gateway_domain_name", + "resourceName": "example2", + "searchKey": "aws_api_gateway_domain_name[example2].security_policy", + "searchValue": "", + "expectedValue": "aws_api_gateway_domain_name[example2].security_policy should be set to TLS_1_2", + "actualValue": "aws_api_gateway_domain_name[example2].security_policy is set to TLS_1_0", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json index f463395207b..baa3168f372 100644 --- a/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "API Gateway Without SSL Certificate", - "severity": "MEDIUM", - "line": 1 - } + { + "queryName": "API Gateway Without SSL Certificate", + "severity": "MEDIUM", + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_stage[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'client_certificate_id' should be set", + "actualValue": "Attribute 'client_certificate_id' is undefined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/terraform/aws/api_gateway_without_waf/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_without_waf/test/positive_expected_result.json index f27dbae4e51..499722f04b8 100644 --- a/assets/queries/terraform/aws/api_gateway_without_waf/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_without_waf/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "API Gateway without WAF", - "severity": "MEDIUM", - "line": 75, - "fileName": "positive.tf" - } + { + "queryName": "API Gateway without WAF", + "severity": "MEDIUM", + "line": 75, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_stage[positive1]", + "searchValue": "", + "expectedValue": "API Gateway Stage should be associated with a Web Application Firewall", + "actualValue": "API Gateway Stage is not associated with a Web Application Firewall", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/aws/api_gateway_xray_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_xray_disabled/test/positive_expected_result.json index 1af365e3611..a94bb2ecf03 100644 --- a/assets/queries/terraform/aws/api_gateway_xray_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_xray_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_stage[positive1].xray_tracing_enabled", + "searchValue": "", + "expectedValue": "'aws_api_gateway_stage[positive1].xray_tracing_enabled' should be true", + "actualValue": "'aws_api_gateway_stage[positive1].xray_tracing_enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive2", + "searchKey": "aws_api_gateway_stage[positive2].xray_tracing_enabled", + "searchValue": "", + "expectedValue": "'aws_api_gateway_stage[positive2].xray_tracing_enabled' should be set", + "actualValue": "'aws_api_gateway_stage[positive2].xray_tracing_enabled' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/athena_database_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/athena_database_not_encrypted/test/positive_expected_result.json index 18c66e3bef2..5a79f6b4b99 100644 --- a/assets/queries/terraform/aws/athena_database_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/athena_database_not_encrypted/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Athena Database Not Encrypted", "severity": "HIGH", "line": 5, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_athena_database", + "resourceName": "database_name", + "searchKey": "aws_athena_database[{{hoge}}]", + "searchValue": "", + "expectedValue": "aws_athena_database[{{hoge}}] encryption_configuration should be defined", + "actualValue": "aws_athena_database[{{hoge}}] encryption_configuration is missing", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/athena_workgroup_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/athena_workgroup_not_encrypted/test/positive_expected_result.json index 20026ebe822..0b921ea419c 100644 --- a/assets/queries/terraform/aws/athena_workgroup_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/athena_workgroup_not_encrypted/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Athena Workgroup Not Encrypted", "severity": "HIGH", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_athena_workgroup", + "resourceName": "example", + "searchKey": "aws_athena_workgroup[{{example}}]", + "searchValue": "", + "expectedValue": "aws_athena_workgroup[{{example}}].configuration.result_configuration.encryption_configuration should be defined", + "actualValue": "aws_athena_workgroup[{{example}}].configuration is missing", + "issueType": "MissingAttribute" }, { "queryName": "Athena Workgroup Not Encrypted", "severity": "HIGH", "line": 8, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_athena_workgroup", + "resourceName": "example", + "searchKey": "aws_athena_workgroup[{{example_2}}].configuration", + "searchValue": "", + "expectedValue": "aws_athena_workgroup[{{example_2}}].configuration.result_configuration.encryption_configuration should be defined", + "actualValue": "aws_athena_workgroup[{{example_2}}].configuration.result_configuration is missing", + "issueType": "MissingAttribute" }, { "queryName": "Athena Workgroup Not Encrypted", "severity": "HIGH", "line": 21, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_athena_workgroup", + "resourceName": "example", + "searchKey": "aws_athena_workgroup[{{example_3}}].configuration.result_configuration", + "searchValue": "", + "expectedValue": "aws_athena_workgroup[{{example_3}}].configuration.result_configuration.encryption_configuration should be defined", + "actualValue": "aws_athena_workgroup[{{example_3}}].configuration.result_configuration.encryption_configuration is missing", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/test/positive_expected_result.json b/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/test/positive_expected_result.json index 9477d4c16c9..a7f9aee8d97 100644 --- a/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Aurora With Disabled at Rest Encryption", "severity": "HIGH", "line": 16, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "my_cluster", + "searchKey": "aws_rds_cluster[{{my_cluster}}].storage_encrypted", + "searchValue": "", + "expectedValue": "aws_rds_cluster.storage_encrypted should be set to 'true'", + "actualValue": "aws_rds_cluster.storage_encrypted is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Aurora With Disabled at Rest Encryption", "severity": "HIGH", "line": 5, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "my_cluster", + "searchKey": "aws_rds_cluster[{{my_cluster}}]", + "searchValue": "", + "expectedValue": "aws_rds_cluster.storage_encrypted should be defined and set to 'true'", + "actualValue": "aws_rds_cluster.storage_encrypted is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/authentication_without_mfa/test/positive_expected_result.json b/assets/queries/terraform/aws/authentication_without_mfa/test/positive_expected_result.json index b19f10f0100..74c0b63a18b 100644 --- a/assets/queries/terraform/aws/authentication_without_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/authentication_without_mfa/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Authentication Without MFA", "severity": "LOW", "line": 23, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "aws-foundations-benchmark-1-4-0-terraform-user", + "searchKey": "aws_iam_user_policy[positive1].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Principal.AWS' should contain ':mfa/' or 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' should be set to true", + "actualValue": "'policy.Statement.Principal.AWS' doesn't contain ':mfa/' or 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Authentication Without MFA", "severity": "LOW", "line": 19, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "aws-foundations-benchmark-1-4-0-terraform-user", + "searchKey": "aws_iam_user_policy[positive2].policy", + "searchValue": "", + "expectedValue": "The attributes 'policy.Statement.Condition', 'policy.Statement.Condition.BoolIfExists', and 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' should be defined and not null", + "actualValue": "The attribute(s) 'policy.Statement.Condition' or/and 'policy.Statement.Condition.BoolIfExists' or/and 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' is/are undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json b/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json index e75a9075e68..554e6ef543d 100644 --- a/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_autoscaling_group", + "resourceName": "bar", + "searchKey": "aws_autoscaling_group[bar]", + "searchValue": "", + "expectedValue": "aws_autoscaling_group[bar].load_balancers should be set and not empty", + "actualValue": "aws_autoscaling_group[bar].load_balancers is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_autoscaling_group", + "resourceName": "positive2", + "searchKey": "aws_autoscaling_group[positive2].load_balancers", + "searchValue": "", + "expectedValue": "aws_autoscaling_group[positive2].load_balancers should be set and not empty", + "actualValue": "aws_autoscaling_group[positive2].load_balancers is empty", + "issueType": "IncorrectValue" }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive3]", + "searchValue": "", + "expectedValue": "'load_balancers' should be set and not empty", + "actualValue": "'load_balancers' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 14, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4].load_balancers", + "searchValue": "", + "expectedValue": "'load_balancers' should be set and not empty", + "actualValue": "'load_balancers' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 1, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_autoscaling_group", + "resourceName": "bar-", + "searchKey": "aws_autoscaling_group[foo]", + "searchValue": "", + "expectedValue": "aws_autoscaling_group[foo].load_balancers should be set and not empty", + "actualValue": "aws_autoscaling_group[foo].load_balancers is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 1, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "aws_autoscaling_group", + "resourceName": "bar-", + "searchKey": "aws_autoscaling_group[foo]", + "searchValue": "", + "expectedValue": "aws_autoscaling_group[foo].load_balancers should be set and not empty", + "actualValue": "aws_autoscaling_group[foo].load_balancers is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json index 83ba730529e..b102aa7a35e 100644 --- a/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 13, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].auto_minor_version_upgrade", + "searchValue": "", + "expectedValue": "'auto_minor_version_upgrade' should be set to true", + "actualValue": "'auto_minor_version_upgrade' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 11, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].auto_minor_version_upgrade", + "searchValue": "", + "expectedValue": "'auto_minor_version_upgrade' should be set to true", + "actualValue": "'auto_minor_version_upgrade' is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/autoscaling_groups_supply_tags/test/positive_expected_result.json b/assets/queries/terraform/aws/autoscaling_groups_supply_tags/test/positive_expected_result.json index fe9dda79ff0..fe59242f656 100644 --- a/assets/queries/terraform/aws/autoscaling_groups_supply_tags/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/autoscaling_groups_supply_tags/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Autoscaling Groups Supply Tags", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_autoscaling_group", + "resourceName": "foobar3-terraform-test", + "searchKey": "aws_autoscaling_group[positive1]", + "searchValue": "", + "expectedValue": "'tags' or 'tag' should be defined and not null", + "actualValue": "'tags' and 'tag' are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Autoscaling Groups Supply Tags", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg]", + "searchValue": "", + "expectedValue": "'tags' should be defined and not null", + "actualValue": "'tags' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/test/positive_expected_result.json b/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/test/positive_expected_result.json index aee6e567c5a..d3f3355c826 100644 --- a/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/test/positive_expected_result.json @@ -3,54 +3,117 @@ "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_eip", + "resourceName": "ok_eip", + "searchKey": "aws_eip[ok_eip]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "EIP is missing domain field set to \"vpc\"", + "issueType": "MissingAttribute" }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 6, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_eip", + "resourceName": "web_eip", + "searchKey": "aws_eip[web_eip]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "EIP is missing domain field set to \"vpc\"", + "issueType": "MissingAttribute" }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_eip", + "resourceName": "nat_eip", + "searchKey": "aws_eip[nat_eip]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "EIP is not attached", + "issueType": "MissingAttribute" }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_eip", + "resourceName": "transfer_eip", + "searchKey": "aws_eip[transfer_eip]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "EIP is not attached", + "issueType": "MissingAttribute" }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 5, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_eip", + "resourceName": "one", + "searchKey": "aws_eip[one]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "EIP is not attached", + "issueType": "MissingAttribute" }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 1, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "aws_eip", + "resourceName": "ok_eip", + "searchKey": "aws_eip[ok_eip]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "Vpc is not set to true", + "issueType": "MissingAttribute" }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 1, - "fileName": "positive7.tf" + "filename": "positive7.tf", + "resourceType": "aws_eip", + "resourceName": "ok_eip", + "searchKey": "aws_eip[ok_eip]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "Domain is not set to \"vpc\"", + "issueType": "MissingAttribute" }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 1, - "fileName": "positive8.tf" + "filename": "positive8.tf", + "resourceType": "aws_eip", + "resourceName": "eip_example", + "searchKey": "aws_eip[eip_example]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "EIP is not attached", + "issueType": "MissingAttribute" }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 6, - "fileName": "positive9.tf" + "filename": "positive9.tf", + "resourceType": "aws_eip", + "resourceName": "web_eip", + "searchKey": "aws_eip[web_eip]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "EIP is not attached", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json b/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json index 27c0f9f9aa7..390cdf5c29c 100644 --- a/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "AWS Password Policy With Unchangeable Passwords", "severity": "LOW", - "line": 12 + "line": 12, + "filename": "positive.tf", + "resourceType": "aws_iam_account_password_policy", + "resourceName": "positive2", + "searchKey": "aws_iam_account_password_policy[positive2].allow_users_to_change_password", + "searchValue": "", + "expectedValue": "'allow_users_to_change_password' should equal 'true'", + "actualValue": "'allow_users_to_change_password' is equal 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json b/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json index 02df24b24d5..08c59e01ee5 100644 --- a/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ { - "line": 11, "queryName": "Batch Job Definition With Privileged Container Properties", - "severity": "HIGH" + "severity": "HIGH", + "line": 11, + "filename": "positive.tf", + "resourceType": "aws_batch_job_definition", + "resourceName": "tf_test_batch_job_definition", + "searchKey": "aws_batch_job_definition[positive1].container_properties.privileged", + "searchValue": "", + "expectedValue": "aws_batch_job_definition[positive1].container_properties.privileged should be 'false' or not set", + "actualValue": "aws_batch_job_definition[positive1].container_properties.privileged is 'true'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/block_device_is_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/block_device_is_not_encrypted/test/positive_expected_result.json index 9ae3e7fd697..881e2b89223 100644 --- a/assets/queries/terraform/aws/block_device_is_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/block_device_is_not_encrypted/test/positive_expected_result.json @@ -3,150 +3,325 @@ "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 11, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_launch_configuration", + "resourceName": "example1", + "searchKey": "aws_launch_configuration[example1].ebs_block_device", + "searchValue": "", + "expectedValue": "aws_launch_configuration[example1].ebs_block_device.encrypted should be set", + "actualValue": "aws_launch_configuration[example1].ebs_block_device.encrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 28, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_launch_configuration", + "resourceName": "example2", + "searchKey": "aws_launch_configuration[example2].ebs_block_device.encrypted", + "searchValue": "", + "expectedValue": "aws_launch_configuration[example2].ebs_block_device.encrypted should be true", + "actualValue": "aws_launch_configuration[example2].ebs_block_device.encrypted is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 36, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_launch_configuration", + "resourceName": "test-launch-config", + "searchKey": "aws_launch_configuration[example3].root_block_device.encrypted", + "searchValue": "", + "expectedValue": "aws_launch_configuration[example3].root_block_device.encrypted should be true", + "actualValue": "aws_launch_configuration[example3].root_block_device.encrypted is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 7, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg].ebs_block_device.0", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 16, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg].root_block_device.0", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 28, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg2].block_device_mappings.0.ebs", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 35, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg2].block_device_mappings.1.ebs", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 11, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg].ebs_block_device.0.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 17, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg].root_block_device.0", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 27, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg2].block_device_mappings.1.ebs.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 29, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg2].block_device_mappings.0.ebs", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 7, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg].ebs_block_device.0", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 18, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg].root_block_device.0.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 27, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg2].block_device_mappings.1.ebs.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 41, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg2].block_device_mappings.0.ebs.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 7, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_instance", + "resourceName": "web-app-instance", + "searchKey": "aws_instance[example1].root_block_device.encrypted", + "searchValue": "", + "expectedValue": "aws_instance[example1].root_block_device.encrypted should be true", + "actualValue": "aws_instance[example1].root_block_device.encrypted is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 31, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_instance", + "resourceName": "positive5", + "searchKey": "aws_instance[example2].ebs_block_device.encrypted", + "searchValue": "", + "expectedValue": "aws_instance[example2].ebs_block_device.encrypted should be true", + "actualValue": "aws_instance[example2].ebs_block_device.encrypted is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 5, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "aws_instance", + "resourceName": "web-app-instance", + "searchKey": "aws_instance[example1].root_block_device", + "searchValue": "", + "expectedValue": "aws_instance[example1].root_block_device.encrypted should be set", + "actualValue": "aws_instance[example1].root_block_device.encrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 24, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "aws_instance", + "resourceName": "web-app-instance", + "searchKey": "aws_instance[example2].ebs_block_device", + "searchValue": "", + "expectedValue": "aws_instance[example2].ebs_block_device.encrypted should be set", + "actualValue": "aws_instance[example2].ebs_block_device.encrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 11, - "fileName": "positive7.tf" + "filename": "positive7.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive7-aws6].root_block_device.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 29, - "fileName": "positive7.tf" + "filename": "positive7.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive7-legacy].root_block_device.0.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 10, - "fileName": "positive8.tf" + "filename": "positive8.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive8-aws6].root_block_device.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 27, - "fileName": "positive8.tf" + "filename": "positive8.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive8-legacy].root_block_device.0.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 9, - "fileName": "positive9.tf" + "filename": "positive9.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive9-aws6].root_block_device", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 26, - "fileName": "positive9.tf" + "filename": "positive9.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive9-legacy].root_block_device.0", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json b/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json index 245876f319a..a319d031382 100644 --- a/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "CA Certificate Identifier Is Outdated", "severity": "MEDIUM", "line": 12, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].ca_cert_identifier", + "searchValue": "", + "expectedValue": "'aws_db_instance.ca_cert_identifier' should be one provided by Amazon RDS.", + "actualValue": "'aws_db_instance.ca_cert_identifier' is 'rds-ca-2015'", + "issueType": "IncorrectValue" }, { "queryName": "CA Certificate Identifier Is Outdated", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].ca_cert_identifier", + "searchValue": "", + "expectedValue": "'ca_cert_identifier' should be one provided by Amazon RDS.", + "actualValue": "'ca_cert_identifier' is 'rds-ca-2015'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cdn_configuration_is_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cdn_configuration_is_missing/test/positive_expected_result.json index 2a75eeb2298..7bfd745273e 100644 --- a/assets/queries/terraform/aws/cdn_configuration_is_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cdn_configuration_is_missing/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive1", + "searchKey": "resource.aws_cloudfront_distribution[positive1].enabled", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive1].enabled should be set to 'true'", + "actualValue": "resource.aws_cloudfront_distribution[positive1].enabled is configured as 'false'", + "issueType": "IncorrectValue" }, { "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 61 + "line": 61, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive2", + "searchKey": "resource.aws_cloudfront_distribution[positive2]", + "searchValue": "origin", + "expectedValue": "resource.aws_cloudfront_distribution[positive2].origin should be defined", + "actualValue": "resource.aws_cloudfront_distribution[positive2].origin is not defined", + "issueType": "MissingAttribute" }, { "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 61 + "line": 61, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive2", + "searchKey": "resource.aws_cloudfront_distribution[positive2]", + "searchValue": "enabled", + "expectedValue": "resource.aws_cloudfront_distribution[positive2].enabled should be set to 'true'", + "actualValue": "resource.aws_cloudfront_distribution[positive2].enabled is not defined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/certificate_has_expired/test/positive_expected_result.json b/assets/queries/terraform/aws/certificate_has_expired/test/positive_expected_result.json index e7adcba6c9b..6b0c62e5411 100644 --- a/assets/queries/terraform/aws/certificate_has_expired/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/certificate_has_expired/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Certificate Has Expired", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_domain_name", + "resourceName": "example2", + "searchKey": "aws_api_gateway_domain_name[example2].certificate_body", + "searchValue": "", + "expectedValue": "aws_api_gateway_domain_name[example2].certificate_body should not have expired", + "actualValue": "aws_api_gateway_domain_name[example2].certificate_body has expired", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json b/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json index e03996e371c..ee33fd5194f 100644 --- a/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Certificate RSA Key Bytes Lower Than 256", "severity": "MEDIUM", "line": 2, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_api_gateway_domain_name", + "resourceName": "example", + "searchKey": "aws_api_gateway_domain_name[example].certificate_body", + "searchValue": "", + "expectedValue": "aws_api_gateway_domain_name[example].certificate_body uses a RSA key with a length equal to or higher than 256 bytes", + "actualValue": "aws_api_gateway_domain_name[example].certificate_body does not use a RSA key with a length equal to or higher than 256 bytes", + "issueType": "IncorrectValue" }, { "queryName": "Certificate RSA Key Bytes Lower Than 256", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_iam_server_certificate", + "resourceName": "test_cert2", + "searchKey": "aws_iam_server_certificate[test_cert2].certificate_body", + "searchValue": "", + "expectedValue": "aws_iam_server_certificate[test_cert2].certificate_body uses a RSA key with a length equal to or higher than 256 bytes", + "actualValue": "aws_iam_server_certificate[test_cert2].certificate_body does not use a RSA key with a length equal to or higher than 256 bytes", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json index 0e8947653f8..d001abed431 100644 --- a/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive1", + "searchKey": "aws_cloudfront_distribution[positive1]", + "searchValue": "", + "expectedValue": "aws_cloudfront_distribution[positive1].logging_config should be defined", + "actualValue": "aws_cloudfront_distribution[positive1].logging_config is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json index d994045fcec..6a37435bd13 100644 --- a/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", - "line": 27 + "line": 27, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive1", + "searchKey": "resource.aws_cloudfront_distribution[positive1].default_cache_behavior.viewer_protocol_policy", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive1].default_cache_behavior.viewer_protocol_policy should be 'https-only' or 'redirect-to-https'", + "actualValue": "resource.aws_cloudfront_distribution[positive1].default_cache_behavior.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue" }, { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", - "line": 96 + "line": 96, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive2", + "searchKey": "resource.aws_cloudfront_distribution[positive2].ordered_cache_behavior.{{/content/immutable/*}}.viewer_protocol_policy", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive2].ordered_cache_behavior.viewer_protocol_policy should be 'https-only' or 'redirect-to-https'", + "actualValue": "resource.aws_cloudfront_distribution[positive2].ordered_cache_behavior.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json index 6885c67a30f..6035ce72396 100644 --- a/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive1", + "searchKey": "resource.aws_cloudfront_distribution[positive1]", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive1].viewer_certificate' should be defined and not null", + "actualValue": "resource.aws_cloudfront_distribution[positive1].viewer_certificate' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", "line": 25, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive2", + "searchKey": "resource.aws_cloudfront_distribution[positive2].viewer_certificate.minimum_protocol_version", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive2].viewer_certificate.minimum_protocol_version' should be TLSv1.2_x", + "actualValue": "resource.aws_cloudfront_distribution[positive2].viewer_certificate.minimum_protocol_version' is TLSv1_2016", + "issueType": "IncorrectValue" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", "line": 24, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive3", + "searchKey": "resource.aws_cloudfront_distribution[positive3].viewer_certificate.cloudfront_default_certificate", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive3].viewer_certificate.cloudfront_default_certificate' should be 'false'", + "actualValue": "resource.aws_cloudfront_distribution[positive3].viewer_certificate.cloudfront_default_certificate' is 'true'", + "issueType": "IncorrectValue" }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", "line": 23, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive4", + "searchKey": "resource.aws_cloudfront_distribution[positive4].viewer_certificate", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive4].viewer_certificate.minimum_protocol_version' should be defined and not null", + "actualValue": "resource.aws_cloudfront_distribution[positive4].viewer_certificate.minimum_protocol_version' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json index 109793cfe3c..1678f37e7b1 100755 --- a/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "CloudFront Without WAF", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive1", + "searchKey": "aws_cloudfront_distribution[positive1].web_acl_id", + "searchValue": "", + "expectedValue": "'web_acl_id' should exist", + "actualValue": "'web_acl_id' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json index 38519cfef6e..3e02e7a4ba1 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "positive1", + "searchKey": "aws_cloudtrail[positive1]", + "searchValue": "", + "expectedValue": "'aws_cloudtrail[positive1].enable_log_file_validation' should be set", + "actualValue": "'aws_cloudtrail[positive1].enable_log_file_validation' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", - "line": 9 + "line": 9, + "filename": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "positive2", + "searchKey": "aws_cloudtrail[positive2].enable_log_file_validation", + "searchValue": "", + "expectedValue": "'aws_cloudtrail[positive2].enable_log_file_validation' should be true", + "actualValue": "'aws_cloudtrail[positive2].enable_log_file_validation' is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json index 1b50e20f3e9..c81d9d29281 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "npositive_1", + "searchKey": "aws_cloudtrail[positive1]", + "searchValue": "", + "expectedValue": "aws_cloudtrail[positive1].kms_key_id should be defined and not null", + "actualValue": "aws_cloudtrail[positive1].kms_key_id is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/test/positive_expected_result.json index f1f9a1ab388..a949760373e 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "CloudTrail Log Files S3 Bucket is Publicly Accessible", "severity": "HIGH", "line": 25, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[b].acl", + "searchValue": "", + "expectedValue": "aws_s3_bucket[b] to not be publicly accessible", + "actualValue": "aws_s3_bucket[b] is publicly accessible", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Log Files S3 Bucket is Publicly Accessible", "severity": "HIGH", "line": 23, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].acl", + "searchValue": "", + "expectedValue": "module[s3_bucket] to not be publicly accessible", + "actualValue": "module[s3_bucket] is publicly accessible", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Log Files S3 Bucket is Publicly Accessible", "severity": "HIGH", "line": 24, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].acl", + "searchValue": "", + "expectedValue": "module[s3_bucket] to not be publicly accessible", + "actualValue": "module[s3_bucket] is publicly accessible", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/test/positive_expected_result.json index 3a2437a6896..dcd89ddb202 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "CloudTrail Log Files S3 Bucket with Logging Disabled", "severity": "MEDIUM", "line": 23, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "tf-test-trail", + "searchKey": "aws_s3_bucket[foo]", + "searchValue": "", + "expectedValue": "aws_s3_bucket[foo] to have 'logging' defined", + "actualValue": "aws_s3_bucket[foo] does not have 'logging' defined", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Log Files S3 Bucket with Logging Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[foo]", + "searchValue": "", + "expectedValue": "'logging' should be defined", + "actualValue": "'logging' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Log Files S3 Bucket with Logging Disabled", "severity": "MEDIUM", "line": 21, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-example-bucket", + "searchKey": "aws_s3_bucket[bb]", + "searchValue": "", + "expectedValue": "aws_s3_bucket[bb] to have 'logging' defined", + "actualValue": "aws_s3_bucket[bb] does not have 'logging' defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudtrail_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_logging_disabled/test/positive_expected_result.json index 8e57b93dc88..f7cc8bfd439 100644 --- a/assets/queries/terraform/aws/cloudtrail_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_logging_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "positive", + "searchKey": "aws_cloudtrail.positive1.enable_logging", + "searchValue": "", + "expectedValue": "aws_cloudtrail.positive1.enable_logging should be true", + "actualValue": "aws_cloudtrail.positive1.enable_logging is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json index 64b89e0ab91..443eb15b4d4 100644 --- a/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", "line": 2, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "npositive_1", + "searchKey": "aws_cloudtrail[positive1]", + "searchValue": "", + "expectedValue": "aws_cloudtrail[positive1].is_multi_region_trail should be defined and not null", + "actualValue": "aws_cloudtrail[positive1].is_multi_region_trail is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", "line": 4, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "npositive_2", + "searchKey": "aws_cloudtrail[positive2].is_multi_region_trail", + "searchValue": "", + "expectedValue": "aws_cloudtrail[positive2].is_multi_region_trail should be set to true", + "actualValue": "aws_cloudtrail[positive2].is_multi_region_trail is set to false", + "issueType": "IncorrectValue" }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", "line": 5, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "npositive_3", + "searchKey": "aws_cloudtrail[positive3].include_global_service_events", + "searchValue": "", + "expectedValue": "aws_cloudtrail[positive3].include_global_service_events should be undefined or set to true", + "actualValue": "aws_cloudtrail[positive3].include_global_service_events is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json index 8f79cf0b981..bddc46a57ba 100644 --- a/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 1, - "queryName": "CloudTrail Not Integrated With CloudWatch" + "filename": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "tf-trail-foobar", + "searchKey": "aws_cloudtrail[positive1]", + "searchValue": "cloud_watch_logs_group_arn", + "expectedValue": "aws_cloudtrail[positive1].cloud_watch_logs_group_arn should be defined and not null", + "actualValue": "aws_cloudtrail[positive1].cloud_watch_logs_group_arn is undefined or null", + "issueType": "MissingAttribute" }, { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 1, - "queryName": "CloudTrail Not Integrated With CloudWatch" + "filename": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "tf-trail-foobar", + "searchKey": "aws_cloudtrail[positive1]", + "searchValue": "cloud_watch_logs_role_arn", + "expectedValue": "aws_cloudtrail[positive1].cloud_watch_logs_role_arn should be defined and not null", + "actualValue": "aws_cloudtrail[positive1].cloud_watch_logs_role_arn is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json index ab5ba6bb6b4..98432ba7783 100644 --- a/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "positive1", + "searchKey": "aws_cloudtrail[positive1]", + "searchValue": "", + "expectedValue": "'aws_cloudtrail[positive1].sns_topic_name' should be set and should not be null", + "actualValue": "'aws_cloudtrail[positive1].sns_topic_name' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "positive2", + "searchKey": "aws_cloudtrail[positive2]", + "searchValue": "", + "expectedValue": "'aws_cloudtrail[positive2].sns_topic_name' should be set and should not be null", + "actualValue": "'aws_cloudtrail[positive2].sns_topic_name' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json index 1459de355bb..ab391933226 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive_expected_result.json index b56668d3c45..42811e3501a 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "CloudWatch AWS Organizations Changes Missing Alarm", "severity": "INFO", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch AWS Organizations Changes Missing Alarm", "severity": "INFO", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive_expected_result.json index 89ee21fe61c..738792f764b 100644 --- a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "CloudWatch Changes To NACL Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Changes To NACL Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive_expected_result.json index 01f6d72185c..77c18b393e0 100644 --- a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Cloudwatch Cloudtrail Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "Cloudwatch Cloudtrail Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "Cloudwatch Cloudtrail Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive_expected_result.json index 524dfb593ab..c89016b95f4 100644 --- a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive_expected_result.json index 8dcb4abaef3..08095adfa69 100644 --- a/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "CloudWatch IAM Policy Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern {($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)} and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern {($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)} or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch IAM Policy Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern {($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)} and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern {($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)} or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/test/positive_expected_result.json index 0300572746a..09fe236bad9 100644 --- a/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "CloudWatch Log Group Without KMS", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_cloudwatch_log_group", + "resourceName": "Yada", + "searchKey": "aws_cloudwatch_log_group[negative1]", + "searchValue": "", + "expectedValue": "Attribute 'kms_key_id' should be set", + "actualValue": "Attribute 'kms_key_id' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/cloudwatch_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_logging_disabled/test/positive_expected_result.json index a8111fc9274..2187e7b3912 100644 --- a/assets/queries/terraform/aws/cloudwatch_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_logging_disabled/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ - { - "queryName": "CloudWatch Logging Disabled", - "severity": "MEDIUM", - "line": 1 - }, - { - "queryName": "CloudWatch Logging Disabled", - "severity": "MEDIUM", - "line": 10 - } + { + "queryName": "CloudWatch Logging Disabled", + "severity": "MEDIUM", + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_route53_zone", + "resourceName": "example.com", + "searchKey": "aws_route53_zone[no_query_log]", + "searchValue": "", + "expectedValue": "'aws_route53_query_log' should be set for respective 'aws_route53_zone'", + "actualValue": "'aws_route53_query_log' is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "CloudWatch Logging Disabled", + "severity": "MEDIUM", + "line": 10, + "filename": "positive.tf", + "resourceType": "aws_route53_query_log", + "resourceName": "log_group_mismatch", + "searchKey": "aws_route53_query_log[log_group_mismatch].cloudwatch_log_group_arn", + "searchValue": "", + "expectedValue": "'aws_route53_query_log' log group refers to the query log", + "actualValue": "'aws_route53_query_log' log group does not match with the log name", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/test/positive_expected_result.json index 98c3bff2732..7dd0a4d2aec 100644 --- a/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "CloudWatch Logs Destination With Vulnerable Policy", "severity": "LOW", "line": 22, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_cloudwatch_log_destination_policy", + "resourceName": "test_destination_policy", + "searchKey": "aws_cloudwatch_log_destination_policy[test_destination_policy].access_policy", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_destination_policy[test_destination_policy].access_policy should not have wildcard in 'principals' and 'actions'", + "actualValue": "aws_cloudwatch_log_destination_policy[test_destination_policy].access_policy has wildcard in 'principals' or 'actions'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive_expected_result.json index 3ea9b674763..2285b1bd9d0 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "CloudWatch Management Console Auth Failed Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Management Console Auth Failed Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Management Console Auth Failed Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Management Console Auth Failed Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive_expected_result.json index 66cbc78e523..73efd65bed0 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "CloudWatch Console Sign-in Without MFA Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Console Sign-in Without MFA Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Console Sign-in Without MFA Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Console Sign-in Without MFA Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json index fda8b64338a..ef7ee460a9a 100644 --- a/assets/queries/terraform/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_method_settings", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_method_settings[positive1].settings.metrics_enabled", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings[positive1].settings.metrics_enabled should be true", + "actualValue": "aws_api_gateway_method_settings[positive1].settings.metrics_enabled is false", + "issueType": "IncorrectValue" }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", - "line": 18 + "line": 18, + "filename": "positive.tf", + "resourceType": "aws_api_gateway_method_settings", + "resourceName": "positive2", + "searchKey": "aws_api_gateway_method_settings[positive2].settings", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings[positive2].settings.metrics_enabled should be defined and not null", + "actualValue": "aws_api_gateway_method_settings[positive2].settings.metrics_enabled is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive_expected_result.json index a206a39b44e..d01e24d1da0 100644 --- a/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "CloudWatch Network Gateways Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Network Gateways Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Network Gateways Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive_expected_result.json index 1e6878d363a..ecbf9ab1a42 100644 --- a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "CloudWatch Root Account Use Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Root Account Use Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Root Account Use Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Root Account Use Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive_expected_result.json index d146a964901..1d57480ebf1 100644 --- a/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "CloudWatch Route Table Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Route Table Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Route Table Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive_expected_result.json index 6e6bdca530c..4bee97cb1f4 100644 --- a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_s3_bucket_policy_change_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter[cis_s3_bucket_policy_change_metric_filter]", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_s3_bucket_policy_change_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", "line": 30, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_no_mfa_console_signin_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_s3_bucket_policy_change_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", "line": 3, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_s3_bucket_policy_change_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", "line": 3, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_s3_bucket_policy_change_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", "line": 4, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_s3_bucket_policy_change_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", "line": 31, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_no_mfa_console_signin_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive_expected_result.json index 378c98dd2b2..96d18826383 100644 --- a/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Cloudwatch Security Group Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "Cloudwatch Security Group Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "Cloudwatch Security Group Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive_expected_result.json index a85b9cc9ec1..93c89cf8339 100644 --- a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "CloudWatch Unauthorized Access Alarm Missing", "severity": "CRITICAL", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Unauthorized Access Alarm Missing", "severity": "CRITICAL", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Unauthorized Access Alarm Missing", "severity": "CRITICAL", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Unauthorized Access Alarm Missing", "severity": "CRITICAL", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json index b13d90ce06d..417c7895794 100644 --- a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "CloudWatch VPC Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch VPC Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch VPC Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json index f2071da151f..3739021d0e1 100644 --- a/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_cloudwatch_log_group", + "resourceName": "Yada", + "searchKey": "aws_cloudwatch_log_group[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'retention_in_days' should be set and valid", + "actualValue": "Attribute 'retention_in_days' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", - "line": 18 + "line": 18, + "filename": "positive.tf", + "resourceType": "aws_cloudwatch_log_group", + "resourceName": "Yada", + "searchKey": "aws_cloudwatch_log_group[positive2].retention_in_days", + "searchValue": "", + "expectedValue": "Attribute 'retention_in_days' should be set and valid", + "actualValue": "Attribute 'retention_in_days' is set but invalid", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cmk_is_unusable/test/positive_expected_result.json b/assets/queries/terraform/aws/cmk_is_unusable/test/positive_expected_result.json index d08e5c00762..ee19906d346 100644 --- a/assets/queries/terraform/aws/cmk_is_unusable/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cmk_is_unusable/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "CMK Is Unusable", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.tf", + "resourceType": "aws_kms_key", + "resourceName": "a", + "searchKey": "aws_kms_key[a].is_enabled", + "searchValue": "", + "expectedValue": "aws_kms_key[a].is_enabled should be set to true", + "actualValue": "aws_kms_key[a].is_enabled is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/cmk_rotation_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cmk_rotation_disabled/test/positive_expected_result.json index 09a15bd8446..97d5075302f 100644 --- a/assets/queries/terraform/aws/cmk_rotation_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cmk_rotation_disabled/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive1", + "searchKey": "aws_kms_key[positive1]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive1].enable_key_rotation should be set to true", + "actualValue": "aws_kms_key[positive1].enable_key_rotation is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive2", + "searchKey": "aws_kms_key[positive2]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive2].enable_key_rotation should be set to true", + "actualValue": "aws_kms_key[positive2].enable_key_rotation is false", + "issueType": "IncorrectValue" }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive3", + "searchKey": "aws_kms_key[positive3]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive3].enable_key_rotation should be set to true", + "actualValue": "aws_kms_key[positive3].enable_key_rotation is false", + "issueType": "IncorrectValue" }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive4", + "searchKey": "aws_kms_key[positive4]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive4].enable_key_rotation should be set to true", + "actualValue": "aws_kms_key[positive4].enable_key_rotation is false", + "issueType": "IncorrectValue" }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 1, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive5", + "searchKey": "aws_kms_key[positive5]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive5].enable_key_rotation should be set to false", + "actualValue": "aws_kms_key[positive5].enable_key_rotation is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive_expected_result.json b/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive_expected_result.json index 7c4547c7354..54de250cea0 100644 --- a/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "CodeBuild Project Encrypted With AWS Managed Key", "severity": "LOW", - "line": 35 + "line": 35, + "filename": "positive.tf", + "resourceType": "aws_codebuild_project", + "resourceName": "project-cloudrail-test", + "searchKey": "aws_codebuild_project[project-cloudrail-test].encryption_key", + "searchValue": "", + "expectedValue": "CodeBuild Project should not be encrypted with AWS managed key", + "actualValue": "CodeBuild Project is encrypted with AWS managed key", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cognito_userpool_without_mfa/test/positive_expected_result.json b/assets/queries/terraform/aws/cognito_userpool_without_mfa/test/positive_expected_result.json index 0942578b863..d2098381d30 100644 --- a/assets/queries/terraform/aws/cognito_userpool_without_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cognito_userpool_without_mfa/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_cognito_user_pool", + "resourceName": "positive1", + "searchKey": "aws_cognito_user_pool[positive1]", + "searchValue": "", + "expectedValue": "aws_cognito_user_pool[positive1].mfa_configuration should be set", + "actualValue": "aws_cognito_user_pool[positive1].mfa_configuration is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 16 + "line": 16, + "filename": "positive.tf", + "resourceType": "aws_cognito_user_pool", + "resourceName": "positive2", + "searchKey": "aws_cognito_user_pool[positive2]", + "searchValue": "", + "expectedValue": "aws_cognito_user_pool[positive2].mfa_configuration should be set to 'ON' or 'OPTIONAL", + "actualValue": "aws_cognito_user_pool[positive2].mfa_configuration is set to 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 32 + "line": 32, + "filename": "positive.tf", + "resourceType": "aws_cognito_user_pool", + "resourceName": "positive3", + "searchKey": "aws_cognito_user_pool[positive3]", + "searchValue": "", + "expectedValue": "aws_cognito_user_pool[positive3] should have 'sms_configuration' or 'software_token_mfa_configuration' defined", + "actualValue": "aws_cognito_user_pool[positive3] doesn't have 'sms_configuration' or 'software_token_mfa_configuration' defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json index 66411526a70..1bd884ddead 100644 --- a/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 4, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_config_configuration_aggregator", + "resourceName": "example", + "searchKey": "aws_config_configuration_aggregator[positive1].account_aggregation_source", + "searchValue": "", + "expectedValue": "'aws_config_configuration_aggregator[positive1].account_aggregation_source.all_regions' should be set to true", + "actualValue": "'aws_config_configuration_aggregator[positive1].account_aggregation_source.all_regions' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 16, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_config_configuration_aggregator", + "resourceName": "example", + "searchKey": "aws_config_configuration_aggregator[positive2].organization_aggregation_source.all_regions", + "searchValue": "", + "expectedValue": "'aws_config_configuration_aggregator[positive2].organization_aggregation_source.all_regions' should be set to true", + "actualValue": "'aws_config_configuration_aggregator[positive2].organization_aggregation_source.all_regions' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json index 2130cceed2f..39a4ba5f48b 100644 --- a/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Config Rule For Encrypted Volumes Disabled", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_config_config_rule", + "resourceName": "unknown", + "searchKey": "aws_config_config_rule", + "searchValue": "", + "expectedValue": "There should be a 'aws_config_config_rule' resource with source id: 'ENCRYPTED_VOLUMES'", + "actualValue": "No 'aws_config_config_rule' resource has source id: 'ENCRYPTED_VOLUMES'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json b/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json index ba8676020d4..6d12038b5ff 100644 --- a/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "test_role", + "searchKey": "aws_iam_role[positive1].assume_role_policy", + "searchValue": "", + "expectedValue": "'assume_role_policy' requires external ID or MFA", + "actualValue": "'assume_role_policy' does not require external ID or MFA", + "issueType": "IncorrectValue" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_iam_role", + "resourceName": "test_role", + "searchKey": "aws_iam_role[positive2].assume_role_policy", + "searchValue": "", + "expectedValue": "'assume_role_policy' requires external ID or MFA", + "actualValue": "'assume_role_policy' does not require external ID or MFA", + "issueType": "IncorrectValue" }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_iam_role", + "resourceName": "test_role", + "searchKey": "aws_iam_role[positive3].assume_role_policy", + "searchValue": "", + "expectedValue": "'assume_role_policy' requires external ID or MFA", + "actualValue": "'assume_role_policy' does not require external ID or MFA", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/dax_cluster_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/dax_cluster_not_encrypted/test/positive_expected_result.json index d4de57a7a33..6f980b95df0 100644 --- a/assets/queries/terraform/aws/dax_cluster_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/dax_cluster_not_encrypted/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_dax_cluster", + "resourceName": "bar_1", + "searchKey": "aws_dax_cluster[{{bar_1}}]", + "searchValue": "", + "expectedValue": "aws_dax_cluster.server_side_encryption.enabled should be set to true", + "actualValue": "aws_dax_cluster.server_side_encryption is missing", + "issueType": "MissingAttribute" }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 14, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_dax_cluster", + "resourceName": "bar_2", + "searchKey": "aws_dax_cluster[{{bar_2}}].server_side_encryption", + "searchValue": "", + "expectedValue": "aws_dax_cluster.server_side_encryption.enabled should be set to true", + "actualValue": "aws_dax_cluster.server_side_encryption.enabled is missing", + "issueType": "MissingAttribute" }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 25, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_dax_cluster", + "resourceName": "bar_3", + "searchKey": "aws_dax_cluster[{{bar_3}}].server_side_encryption.enabled", + "searchValue": "", + "expectedValue": "aws_dax_cluster.server_side_encryption.enabled should be set to true", + "actualValue": "aws_dax_cluster.server_side_encryption.enabled is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json index 9fc13b5371e..c5f3430d7fc 100644 --- a/assets/queries/terraform/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 11, - "fileName": "positive1.tf" - }, - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 14, - "fileName": "positive1.tf" - }, - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 1, - "fileName": "positive2.tf" - }, - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 11, - "fileName": "positive3.tf" - } + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 11, + "filename": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].storage_encrypted", + "searchValue": "", + "expectedValue": "'storage_encrypted' should be set to true", + "actualValue": "'storage_encrypted' is set to false", + "issueType": "IncorrectValue" + }, + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 14, + "filename": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive2]", + "searchValue": "", + "expectedValue": "'storage_encrypted' should be set to true", + "actualValue": "'storage_encrypted' is undefined or null", + "issueType": "MissingAttribute" + }, + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 1, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db]", + "searchValue": "", + "expectedValue": "'storage_encrypted' should be set to true", + "actualValue": "'storage_encrypted' is undefined or null", + "issueType": "MissingAttribute" + }, + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 11, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].storage_encrypted", + "searchValue": "", + "expectedValue": "'storage_encrypted' should be set to true", + "actualValue": "'storage_encrypted' is set to false", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/aws/db_security_group_has_public_interface/test/positive_expected_result.json b/assets/queries/terraform/aws/db_security_group_has_public_interface/test/positive_expected_result.json index 3190fe513b0..9e1a03deed3 100644 --- a/assets/queries/terraform/aws/db_security_group_has_public_interface/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/db_security_group_has_public_interface/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "DB Security Group Has Public Interface", - "severity": "HIGH", - "line": 5, - "fileName": "positive1.tf" - }, - { - "queryName": "DB Security Group Has Public Interface", - "severity": "HIGH", - "line": 9, - "fileName": "positive2.tf" - } + { + "queryName": "DB Security Group Has Public Interface", + "severity": "HIGH", + "line": 5, + "filename": "positive1.tf", + "resourceType": "aws_db_security_group", + "resourceName": "rds_sg", + "searchKey": "aws_db_security_group[positive1].ingress.cidr", + "searchValue": "", + "expectedValue": "'aws_db_security_group[positive1].ingress.cidr' should not be '0.0.0.0/0' or '::/0'", + "actualValue": "'aws_db_security_group[positive1].ingress.cidr' is '0.0.0.0/0'", + "issueType": "IncorrectValue" + }, + { + "queryName": "DB Security Group Has Public Interface", + "severity": "HIGH", + "line": 9, + "filename": "positive2.tf", + "resourceType": "aws_db_security_group", + "resourceName": "rds_sg", + "searchKey": "aws_db_security_group[positive1].ingress.cidr", + "searchValue": "", + "expectedValue": "'aws_db_security_group[positive1].ingress[1].cidr' should not be '0.0.0.0/0' or '::/0'", + "actualValue": "'aws_db_security_group[positive1].ingress[1].cidr' is '0.0.0.0/0'", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json b/assets/queries/terraform/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json index a231edd750c..ccd13e7e588 100644 --- a/assets/queries/terraform/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_db_security_group", + "resourceName": "positive1", + "searchKey": "aws_db_security_group[positive1].ingress.cidr", + "searchValue": "", + "expectedValue": "'aws_db_security_group.ingress.cidr' > 24", + "actualValue": "'aws_db_security_group.ingress.cidr' <= 24", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/db_security_group_with_public_scope/test/positive_expected_result.json b/assets/queries/terraform/aws/db_security_group_with_public_scope/test/positive_expected_result.json index 48e1b64a9c2..2f3e3c79b67 100644 --- a/assets/queries/terraform/aws/db_security_group_with_public_scope/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/db_security_group_with_public_scope/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_db_security_group", + "resourceName": "positive1", + "searchKey": "aws_db_security_group[positive1].ingress.cidr", + "searchValue": "", + "expectedValue": "'aws_db_security_group.ingress.cidr' != 0.0.0.0/0", + "actualValue": "'aws_db_security_group.ingress.cidr'= 0.0.0.0/0", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json b/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json index 3cc3958c7b9..695ff81d62c 100644 --- a/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_db_security_group", + "resourceName": "positive1", + "searchKey": "aws_default_security_group[positive1]", + "searchValue": "", + "expectedValue": "ingress.cidr_blocks or egress.cidr_blocks diferent from '0.0.0.0/0' and '::/0'", + "actualValue": "ingress.cidr_blocks or egress.cidr_blocks are equal to '0.0.0.0/0' or '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "aws_db_security_group", + "resourceName": "positive2", + "searchKey": "aws_default_security_group[positive2]", + "searchValue": "", + "expectedValue": "ingress.cidr_blocks or egress.cidr_blocks diferent from '0.0.0.0/0' and '::/0'", + "actualValue": "ingress.cidr_blocks or egress.cidr_blocks are equal to '0.0.0.0/0' or '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 24 + "line": 24, + "filename": "positive.tf", + "resourceType": "aws_db_security_group", + "resourceName": "positive3", + "searchKey": "aws_default_security_group[positive3]", + "searchValue": "", + "expectedValue": "ingress.cidr_blocks or egress.cidr_blocks diferent from '0.0.0.0/0' and '::/0'", + "actualValue": "ingress.cidr_blocks or egress.cidr_blocks are equal to '0.0.0.0/0' or '::/0'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/default_vpc_exists/test/positive_expected_result.json b/assets/queries/terraform/aws/default_vpc_exists/test/positive_expected_result.json index 67846e5982e..34211980a41 100644 --- a/assets/queries/terraform/aws/default_vpc_exists/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/default_vpc_exists/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Default VPC Exists", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_default_vpc", + "resourceName": "Default VPC", + "searchKey": "aws_default_vpc[positive1]", + "searchValue": "", + "expectedValue": "'aws_default_vpc' should not exist", + "actualValue": "'aws_default_vpc' exists", + "issueType": "IncorrectValue" }, { "queryName": "Default VPC Exists", "severity": "MEDIUM", "line": 14, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "vpc.default_vpc_name", + "searchValue": "", + "expectedValue": "'aws_default_vpc' should not exist", + "actualValue": "'aws_default_vpc' exists", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/test/positive_expected_result.json b/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/test/positive_expected_result.json index 8788d51d849..7033d4d3e02 100644 --- a/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "DOCDB Cluster Encrypted With AWS Managed Key", "severity": "LOW", - "line": 16 + "line": 16, + "filename": "positive.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "test2", + "searchKey": "aws_docdb_cluster[test2].kms_key_id", + "searchValue": "", + "expectedValue": "DOCDB Cluster should not be encrypted with AWS managed key", + "actualValue": "DOCDB Cluster is encrypted with AWS managed key", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/docdb_cluster_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/docdb_cluster_not_encrypted/test/positive_expected_result.json index bf3c7122305..5c2c01584ab 100644 --- a/assets/queries/terraform/aws/docdb_cluster_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/docdb_cluster_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "DOCDB Cluster Not Encrypted", "severity": "HIGH", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "docdb", + "searchKey": "aws_docdb_cluster[{{docdb}}]", + "searchValue": "", + "expectedValue": "aws_docdb_cluster.storage_encrypted should be set to true", + "actualValue": "aws_docdb_cluster.storage_encrypted is missing", + "issueType": "MissingAttribute" }, { "queryName": "DOCDB Cluster Not Encrypted", "severity": "HIGH", "line": 19, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "docdb_2", + "searchKey": "aws_docdb_cluster[{{docdb_2}}].storage_encrypted", + "searchValue": "", + "expectedValue": "aws_docdb_cluster.storage_encrypted should be set to true", + "actualValue": "aws_docdb_cluster.storage_encrypted is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/docdb_cluster_without_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/docdb_cluster_without_kms/test/positive_expected_result.json index 6556e064692..baace016c76 100644 --- a/assets/queries/terraform/aws/docdb_cluster_without_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/docdb_cluster_without_kms/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "DOCDB Cluster Without KMS", "severity": "HIGH", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "docdb", + "searchKey": "aws_docdb_cluster[{{docdb}}]", + "searchValue": "", + "expectedValue": "aws_docdb_cluster.kms_key_id should be defined and not null", + "actualValue": "aws_docdb_cluster.kms_key_id is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/docdb_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/docdb_logging_disabled/test/positive_expected_result.json index 0c84ccf6804..c3f9659e4d9 100644 --- a/assets/queries/terraform/aws/docdb_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/docdb_logging_disabled/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "positive1", + "searchKey": "aws_docdb_cluster[{{positive1}}]", + "searchValue": "", + "expectedValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports should be defined", + "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports is undefined", + "issueType": "MissingAttribute" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "positive2", + "searchKey": "aws_docdb_cluster[{{positive2}}].enabled_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports should have all following values: audit, profiler", + "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports is empty", + "issueType": "IncorrectValue" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "positive3", + "searchKey": "aws_docdb_cluster[{{positive3}}].enabled_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports should have all following values: audit, profiler", + "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports has the following missing values: audit", + "issueType": "IncorrectValue" }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "positive4", + "searchKey": "aws_docdb_cluster[{{positive4}}].enabled_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports should have all following values: audit, profiler", + "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports has the following missing values: profiler", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json index 4fe338ed241..3a5e0e13e03 100644 --- a/assets/queries/terraform/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_dynamodb_table", + "resourceName": "example", + "searchKey": "aws_dynamodb_table[{{example}}]", + "searchValue": "", + "expectedValue": "aws_dynamodb_table.server_side_encryption.enabled should be set to true", + "actualValue": "aws_dynamodb_table.server_side_encryption is missing", + "issueType": "MissingAttribute" }, { "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", "line": 30, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_dynamodb_table", + "resourceName": "example", + "searchKey": "aws_dynamodb_table[{{example_2}}].server_side_encryption.enabled", + "searchValue": "", + "expectedValue": "aws_dynamodb_table.server_side_encryption.enabled should be set to true", + "actualValue": "aws_dynamodb_table.server_side_encryption.enabled is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json index bb0ed6d24e4..69ec1493e39 100644 --- a/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 10, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_dynamodb_table", + "resourceName": "aws_dynamodb_table", + "searchKey": "aws_dynamodb_table[{{basic-dynamodb-table}}].point_in_time_recovery.enabled", + "searchValue": "", + "expectedValue": "aws_dynamodb_table.point_in_time_recovery.enabled should be set to true", + "actualValue": "aws_dynamodb_table.point_in_time_recovery.enabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 1, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_dynamodb_table", + "resourceName": "aws_dynamodb_table", + "searchKey": "aws_dynamodb_table[{{basic-dynamodb-table}}]", + "searchValue": "", + "expectedValue": "aws_dynamodb_table.point_in_time_recovery.enabled should be enabled", + "actualValue": "aws_dynamodb_table.point_in_time_recovery is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/test/positive_expected_result.json b/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/test/positive_expected_result.json index 2d63fdae815..7a202b1a81a 100644 --- a/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Dynamodb VPC Endpoint Without Route Table Association", "severity": "LOW", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "aws_vpc_endpoint", + "resourceName": "dynamodb-vpce-gw", + "searchKey": "aws_vpc_endpoint[dynamodb-vpce-gw].vpc_id", + "searchValue": "", + "expectedValue": "Dynamodb VPC Endpoint should be associated with Route Table Association", + "actualValue": "Dynamodb VPC Endpoint is not associated with Route Table Association", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ebs_default_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ebs_default_encryption_disabled/test/positive_expected_result.json index 65ef7abe96e..20a0ccc203e 100644 --- a/assets/queries/terraform/aws/ebs_default_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ebs_default_encryption_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "EBS Default Encryption Disabled", "severity": "HIGH", - "line": 2 + "line": 2, + "filename": "positive.tf", + "resourceType": "aws_ebs_encryption_by_default", + "resourceName": "positive1", + "searchKey": "aws_ebs_encryption_by_default[positive1].enabled", + "searchValue": "", + "expectedValue": "'aws_ebs_encryption_by_default.encrypted' should be true", + "actualValue": "'aws_ebs_encryption_by_default.encrypted' is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json index 8ba140c64e7..6fa8ca87a7d 100644 --- a/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", "line": 4, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_ebs_volume", + "resourceName": "HelloWorld", + "searchKey": "aws_ebs_volume[positive1].encrypted", + "searchValue": "", + "expectedValue": "One of 'aws_ebs_volume.encrypted' should be 'true'", + "actualValue": "One of 'aws_ebs_volume.encrypted' is 'false'", + "issueType": "IncorrectValue" }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_ebs_volume", + "resourceName": "HelloWorld", + "searchKey": "aws_ebs_volume[positive2]", + "searchValue": "", + "expectedValue": "One of 'aws_ebs_volume.encrypted' should be defined", + "actualValue": "One of 'aws_ebs_volume.encrypted' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/test/positive_expected_result.json index da1650285d8..07a7f486dfe 100644 --- a/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "EBS Volume Snapshot Not Encrypted", "severity": "HIGH", "line": 4, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_ebs_volume", + "resourceName": "positive1", + "searchKey": "aws_ebs_volume[positive1].encrypted", + "searchValue": "", + "expectedValue": "'aws_ebs_volume[positive1].encrypted' associated with aws_ebs_snapshot[positive1] should be true", + "actualValue": "'aws_ebs_volume[positive1].encrypted' associated with aws_ebs_snapshot[positive1] is false", + "issueType": "IncorrectValue" }, { "queryName": "EBS Volume Snapshot Not Encrypted", "severity": "HIGH", "line": 10, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_ebs_snapshot", + "resourceName": "positive2", + "searchKey": "aws_ebs_snapshot[positive2]", + "searchValue": "", + "expectedValue": "'aws_ebs_volume[positive2].encrypted' associated with aws_ebs_snapshot[positive2] should be set", + "actualValue": "'aws_ebs_volume[positive2].encrypted' associated with aws_ebs_snapshot[positive2] is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/ec2_instance_has_public_ip/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_has_public_ip/test/positive_expected_result.json index 71d37ca807f..930b509fdd9 100644 --- a/assets/queries/terraform/aws/ec2_instance_has_public_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_has_public_ip/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", "line": 17, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance.web2", + "searchValue": "", + "expectedValue": "'associate_public_ip_address' should be defined and not null", + "actualValue": "'associate_public_ip_address' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", "line": 28, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance.web3.associate_public_ip_address", + "searchValue": "", + "expectedValue": "'associate_public_ip_address' should be set to false", + "actualValue": "'associate_public_ip_address' is true", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", + "searchValue": "", + "expectedValue": "'associate_public_ip_address' should be defined and not null", + "actualValue": "'associate_public_ip_address' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", "line": 13, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance].associate_public_ip_address", + "searchValue": "", + "expectedValue": "'associate_public_ip_address' should be set to false", + "actualValue": "'associate_public_ip_address' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json index edc9aa0da27..cf6fc7891f8 100644 --- a/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 17, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance.{{monitoring_positive1}}", + "searchValue": "", + "expectedValue": "'monitoring' should be defined and not null", + "actualValue": "'monitoring' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 20, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance.{{monitoring_positive2}}.monitoring", + "searchValue": "", + "expectedValue": "monitoring_positive2.'monitoring' should be set to true", + "actualValue": "monitoring_positive2.'monitoring' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", + "searchValue": "", + "expectedValue": "'monitoring' should be defined and not null", + "actualValue": "'monitoring' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance].monitoring", + "searchValue": "", + "expectedValue": "ec2_instance.'monitoring' should be set to true", + "actualValue": "ec2_instance.'monitoring' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 28, - "fileName": "positive5.json" + "filename": "positive5.json", + "resourceType": "aws_instance", + "resourceName": "cdktf-test", + "searchKey": "aws_instance.{{cdktf-test}}.monitoring", + "searchValue": "", + "expectedValue": "cdktf-test.'monitoring' should be set to true", + "actualValue": "cdktf-test.'monitoring' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ec2_instance_using_api_keys/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_using_api_keys/test/positive_expected_result.json index 715b290c48f..a99e769f7f3 100644 --- a/assets/queries/terraform/aws/ec2_instance_using_api_keys/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_using_api_keys/test/positive_expected_result.json @@ -3,72 +3,156 @@ "queryName": "EC2 Instance Using API Keys", "severity": "LOW", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive1]", + "searchValue": "", + "expectedValue": "aws_instance[positive1] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "aws_instance[positive1].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 5, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive10.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", + "searchValue": "", + "expectedValue": "module[ec2_instance] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "module[ec2_instance].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 5, - "fileName": "positive3.tf" + "line": 1, + "filename": "positive11.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", + "searchValue": "", + "expectedValue": "module[ec2_instance] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "module[ec2_instance].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 5, - "fileName": "positive4.tf" + "line": 1, + "filename": "positive12.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", + "searchValue": "", + "expectedValue": "module[ec2_instance] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "module[ec2_instance].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", "line": 5, - "fileName": "positive5.tf" + "filename": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive2]", + "searchValue": "", + "expectedValue": "aws_instance[positive2] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "aws_instance[positive2].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", "line": 5, - "fileName": "positive6.tf" + "filename": "positive3.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive3]", + "searchValue": "", + "expectedValue": "aws_instance[positive3] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "aws_instance[positive3].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 13, - "fileName": "positive7.tf" + "line": 5, + "filename": "positive4.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive4]", + "searchValue": "", + "expectedValue": "aws_instance[positive4] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "aws_instance[positive4].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 13, - "fileName": "positive8.tf" + "line": 5, + "filename": "positive5.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive5]", + "searchValue": "", + "expectedValue": "aws_instance[positive5] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "aws_instance[positive5].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 13, - "fileName": "positive9.tf" + "line": 5, + "filename": "positive6.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive6]", + "searchValue": "", + "expectedValue": "aws_instance[positive6] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "aws_instance[positive6].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 1, - "fileName": "positive10.tf" + "line": 13, + "filename": "positive7.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive7].provisioner", + "searchValue": "", + "expectedValue": "aws_instance[positive7].provisioner.remote-exec should be used to configure AWS API keys", + "actualValue": "aws_instance[positive7] should be using iam_instance_profile to assign a role with permissions", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 1, - "fileName": "positive11.tf" + "line": 13, + "filename": "positive8.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive8].provisioner", + "searchValue": "", + "expectedValue": "aws_instance[positive8].provisioner.file should be used to configure AWS API keys", + "actualValue": "aws_instance[positive8] should be using iam_instance_profile to assign a role with permissions", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", - "line": 1, - "fileName": "positive12.tf" + "line": 13, + "filename": "positive9.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive9].provisioner", + "searchValue": "", + "expectedValue": "aws_instance[positive9].provisioner.remote-exec should be used to configure AWS API keys", + "actualValue": "aws_instance[positive9] should be using iam_instance_profile to assign a role with permissions", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json index 60974d84ff2..ed74cd1bdf9 100644 --- a/assets/queries/terraform/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "EC2 Instance Using Default Security Group", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance[positive1].security_groups", + "searchValue": "", + "expectedValue": "aws_instance[positive1].security_groups should not be using default security group", + "actualValue": "aws_instance[positive1].security_groups is using at least one default security group", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Instance Using Default Security Group", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "positive2", + "searchKey": "aws_instance[positive2].vpc_security_group_ids", + "searchValue": "", + "expectedValue": "aws_instance[positive2].vpc_security_group_ids should not be using default security group", + "actualValue": "aws_instance[positive2].vpc_security_group_ids is using at least one default security group", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json index 9d70d60ac40..98158e9f133 100644 --- a/assets/queries/terraform/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "EC2 Instance Using Default VPC", "severity": "LOW", "line": 6, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "positive1", + "searchKey": "aws_instance[positive1].subnet_id", + "searchValue": "", + "expectedValue": "aws_instance[positive1].subnet_id should not be associated with a default VPC", + "actualValue": "aws_instance[positive1].subnet_id is associated with a default VPC", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/ec2_not_ebs_optimized/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_not_ebs_optimized/test/positive_expected_result.json index 98335b48ae9..be29eecc0d9 100644 --- a/assets/queries/terraform/aws/ec2_not_ebs_optimized/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_not_ebs_optimized/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 17, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance[{{web}}]", + "searchValue": "", + "expectedValue": "'ebs_optimized' should be set to true", + "actualValue": "'ebs_optimized' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 20, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance[{{web}}].ebs_optimized", + "searchValue": "", + "expectedValue": "'ebs_optimized' should be set to true", + "actualValue": "'ebs_optimized' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 1, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", + "searchValue": "", + "expectedValue": "'ebs_optimized' should be set to true", + "actualValue": "'ebs_optimized' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 9, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance].ebs_optimized", + "searchValue": "", + "expectedValue": "'ebs_optimized' should be set to true", + "actualValue": "'ebs_optimized' is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json b/assets/queries/terraform/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json index 5f98584ec05..85a7e65611f 100644 --- a/assets/queries/terraform/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "ECR Image Tag Not Immutable", "severity": "MEDIUM", "line": 3, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "bar", + "searchKey": "aws_ecr_repository.foo2.image_tag_mutability", + "searchValue": "", + "expectedValue": "aws_ecr_repository.foo2.image_tag_mutability should be 'IMMUTABLE'", + "actualValue": "aws_ecr_repository.foo2.image_tag_mutability is 'MUTABLE'", + "issueType": "IncorrectValue" }, { "queryName": "ECR Image Tag Not Immutable", "severity": "MEDIUM", "line": 10, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "bar", + "searchKey": "aws_ecr_repository.foo3", + "searchValue": "", + "expectedValue": "aws_ecr_repository.foo3.image_tag_mutability should be defined and not null", + "actualValue": "aws_ecr_repository.foo3.image_tag_mutability is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json index 6a419b1981b..fcd9ff17659 100644 --- a/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "ECR Repository Is Publicly Accessible", "severity": "CRITICAL", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "aws_ecr_repository_policy", + "resourceName": "positive2", + "searchKey": "aws_ecr_repository_policy[positive2].policy", + "searchValue": "", + "expectedValue": "'Statement.Principal' shouldn't contain '*'", + "actualValue": "'Statement.Principal' contains '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ecr_repository_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/ecr_repository_not_encrypted/test/positive_expected_result.json index ff2bfc9644f..feff26fda4a 100644 --- a/assets/queries/terraform/aws/ecr_repository_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecr_repository_not_encrypted/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "bar", + "searchKey": "aws_ecr_repository[foo]", + "searchValue": "", + "expectedValue": "'encryption_configuration' should be defined with 'KMS' as encryption type and a KMS key ARN", + "actualValue": "'encryption_configuration' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 18 + "line": 18, + "filename": "positive.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "barX", + "searchKey": "aws_ecr_repository[fooX].encryption_configuration", + "searchValue": "", + "expectedValue": "'encryption_configuration.encryption_type' should be set to 'KMS' and 'encryption_configuration.kms_key' specifies a KMS key ARN", + "actualValue": "'encryption_configuration.encryption_type' is not set to 'KMS' and/or 'encryption_configuration.kms_key' does not specify a KMS key ARN", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/ecr_repository_without_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/ecr_repository_without_policy/test/positive_expected_result.json index 8733ccfe1b0..9fc1778b6f8 100644 --- a/assets/queries/terraform/aws/ecr_repository_without_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecr_repository_without_policy/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "ECR Repository Without Policy", "severity": "LOW", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "foo", + "searchKey": "aws_ecr_repository[foo]", + "searchValue": "", + "expectedValue": "aws_ecr_repository[foo] has policies attached", + "actualValue": "aws_ecr_repository[foo] doesn't have policies attached", + "issueType": "MissingAttribute" }, { "queryName": "ECR Repository Without Policy", "severity": "LOW", "line": 1, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "foo2", + "searchKey": "aws_ecr_repository[foo2]", + "searchValue": "", + "expectedValue": "aws_ecr_repository[foo2] has policies attached", + "actualValue": "aws_ecr_repository[foo2] doesn't have policies attached", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json index 14338d961fd..8b9b824870f 100644 --- a/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_ecs_cluster", + "resourceName": "white-hart", + "searchKey": "aws_ecs_cluster[foo]", + "searchValue": "", + "expectedValue": "'aws_ecs_cluster[foo].setting.name' should be set to 'containerInsights' and 'aws_ecs_cluster[foo].setting.value' should be set to 'enabled'", + "actualValue": "'aws_ecs_cluster[foo].setting.name' is not set to 'containerInsights' and/or 'aws_ecs_cluster[foo].setting.value' is not set to 'enabled'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json b/assets/queries/terraform/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json index c472ceefe5b..c640fb1c125 100644 --- a/assets/queries/terraform/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "ECS Service Admin Role Is Present", - "severity": "HIGH", - "line": 7 - } + { + "queryName": "ECS Service Admin Role Is Present", + "severity": "HIGH", + "line": 7, + "filename": "positive.tf", + "resourceType": "aws_ecs_service", + "resourceName": "mongodb", + "searchKey": "aws_ecs_service[positive1].iam_role", + "searchValue": "", + "expectedValue": "'aws_ecs_service[positive1].iam_role' should not equal to 'admin'", + "actualValue": "'aws_ecs_service[positive1].iam_role' is equal to 'admin'", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/aws/ecs_service_without_running_tasks/test/positive_expected_result.json b/assets/queries/terraform/aws/ecs_service_without_running_tasks/test/positive_expected_result.json index 038245c2cee..669150c7f58 100644 --- a/assets/queries/terraform/aws/ecs_service_without_running_tasks/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecs_service_without_running_tasks/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "ECS Service Without Running Tasks", "severity": "LOW", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_ecs_service", + "resourceName": "positive1", + "searchKey": "aws_ecs_service[positive1]", + "searchValue": "", + "expectedValue": "'aws_ecs_service[positive1]' has at least 1 task running", + "actualValue": "'aws_ecs_service[positive1]' must have at least 1 task running", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json b/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json index 18ccc7a1c7e..9ce62c25069 100644 --- a/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ { + "queryName": "ECS Services assigned with public IP address", "severity": "MEDIUM", "line": 15, - "queryName": "ECS Services assigned with public IP address", - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_ecs_service", + "resourceName": "example_service_dev", + "searchKey": "aws_ecs_service[example_ecs_service].network_configuration.assign_public_ip", + "searchValue": "", + "expectedValue": "'aws_ecs_service[example_ecs_service].network_configuration.assign_public_ip' should be set to 'false'(default value is 'false')", + "actualValue": "'aws_ecs_service[example_ecs_service].network_configuration.assign_public_ip' is set to true", + "issueType": "IncorrectValue" }, { + "queryName": "ECS Services assigned with public IP address", "severity": "MEDIUM", "line": 17, - "queryName": "ECS Services assigned with public IP address", - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ecs].services.frontend.assign_public_ip", + "searchValue": "", + "expectedValue": "'module[ecs].services.frontend.assign_public_ip' should be set to 'false'(default value is 'false')", + "actualValue": "'module[ecs].services.frontend.assign_public_ip' is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json b/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json index be1f04a0a99..48c28da9917 100644 --- a/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "ECS Task Definition Network Mode Not Recommended", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "positive1", + "searchKey": "aws_ecs_task_definition[positive1].network_mode", + "searchValue": "", + "expectedValue": "'network_mode' should equal to 'awsvpc'", + "actualValue": "'network_mode' is equal to 'none'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/efs_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/efs_not_encrypted/test/positive_expected_result.json index 2eaa672c30d..9ba0b45eceb 100644 --- a/assets/queries/terraform/aws/efs_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/efs_not_encrypted/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_efs_file_system", + "resourceName": "MyProduct", + "searchKey": "aws_efs_file_system[positive1]", + "searchValue": "", + "expectedValue": "aws_efs_file_system[positive1].encrypted' should be defined and not null", + "actualValue": "aws_efs_file_system[positive1].encrypted' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "aws_efs_file_system", + "resourceName": "MyProduct", + "searchKey": "aws_efs_file_system[positive2].encrypted", + "searchValue": "", + "expectedValue": "aws_efs_file_system[positive2].encrypted' should be true", + "actualValue": "aws_efs_file_system[positive2].encrypted' is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json b/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json index 562e3a327a2..8623ca288da 100644 --- a/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json @@ -3,60 +3,130 @@ "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 11, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service", + "searchKey": "aws_ecs_task_definition[{{service}}].volume.efs_volume_configuration.transit_encryption", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value is 'DISABLED'", + "issueType": "IncorrectValue" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 8, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_2", + "searchKey": "aws_ecs_task_definition[{{service_2}}].volume.efs_volume_configuration", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption is missing", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 5, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_2", + "searchKey": "aws_ecs_task_definition[{{service_2}}].volume", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration value should be defined", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration is not set", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 11, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_4", + "searchKey": "aws_ecs_task_definition[{{service_4}}].volume[0].efs_volume_configuration.transit_encryption", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value is 'DISABLED'", + "issueType": "IncorrectValue" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 26, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_4", + "searchKey": "aws_ecs_task_definition[{{service_4}}].volume[1].efs_volume_configuration.transit_encryption", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value is 'DISABLED'", + "issueType": "IncorrectValue" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 8, - "filename": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_5", + "searchKey": "aws_ecs_task_definition[{{service_5}}].volume[0].efs_volume_configuration", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption is missing", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 22, - "filename": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_5", + "searchKey": "aws_ecs_task_definition[{{service_5}}].volume[1].efs_volume_configuration", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption is missing", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 5, - "filename": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_6", + "searchKey": "aws_ecs_task_definition[{{service_6}}].volume[0]", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration value should be defined", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration is not set", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 9, - "filename": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_6", + "searchKey": "aws_ecs_task_definition[{{service_6}}].volume[1]", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration value should be defined", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration is not set", + "issueType": "MissingAttribute" }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 26, - "filename": "positive7.tf" + "filename": "positive7.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_7", + "searchKey": "aws_ecs_task_definition[{{service_7}}].volume[1].efs_volume_configuration.transit_encryption", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value is 'DISABLED'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/efs_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/efs_with_vulnerable_policy/test/positive_expected_result.json index c8af7a301f9..566568a6bae 100644 --- a/assets/queries/terraform/aws/efs_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/efs_with_vulnerable_policy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "EFS With Vulnerable Policy", "severity": "MEDIUM", "line": 16, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_efs_file_system_policy", + "resourceName": "not_secure_policy", + "searchKey": "aws_efs_file_system_policy[not_secure_policy].policy", + "searchValue": "", + "expectedValue": "aws_efs_file_system_policy[not_secure_policy].policy should not have wildcard in 'Action' and 'Principal'", + "actualValue": "aws_efs_file_system_policy[not_secure_policy].policy has wildcard in 'Action' or 'Principal'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/efs_without_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/efs_without_kms/test/positive_expected_result.json index ba63f84dca0..8acad4a443a 100644 --- a/assets/queries/terraform/aws/efs_without_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/efs_without_kms/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "EFS Without KMS", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_efs_file_system", + "resourceName": "MyProduct", + "searchKey": "aws_efs_file_system[positive1]", + "searchValue": "", + "expectedValue": "aws_efs_file_system[positive1].kms_key_id' should be defined'", + "actualValue": "aws_efs_file_system[positive1].kms_key_id' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json index 1dc99e33f29..3c5fe608135 100644 --- a/assets/queries/terraform/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "EKS Cluster Encryption Disabled", "severity": "HIGH", "line": 6, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "example", + "searchKey": "aws_eks_cluster[positive1]", + "searchValue": "", + "expectedValue": "'encryption_config' should be defined and not null", + "actualValue": "'encryption_config' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "EKS Cluster Encryption Disabled", "severity": "HIGH", "line": 11, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "example", + "searchKey": "aws_eks_cluster[positive2].encryption_config.resources", + "searchValue": "", + "expectedValue": "'secrets' should be defined", + "actualValue": "'secrets' is undefined", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/eks_cluster_has_public_access/test/positive_expected_result.json b/assets/queries/terraform/aws/eks_cluster_has_public_access/test/positive_expected_result.json index d8b401a6a00..16e96bd38d6 100644 --- a/assets/queries/terraform/aws/eks_cluster_has_public_access/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/eks_cluster_has_public_access/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "EKS Cluster Has Public Access", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "example", + "searchKey": "aws_eks_cluster[positive1].vpc_config.endpoint_public_access", + "searchValue": "", + "expectedValue": "'vpc_config.endpoint_public_access' should equal 'false'", + "actualValue": "'vpc_config.endpoint_public_access' is equal 'true'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/test/positive_expected_result.json b/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/test/positive_expected_result.json index fc8b1649bfe..ac639909ae9 100644 --- a/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "EKS Cluster Has Public Access CIDRs", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "example", + "searchKey": "aws_eks_cluster[positive1].vpc_config.public_access_cidrs", + "searchValue": "", + "expectedValue": "One of 'vpc_config.public_access_cidrs' not equal '0.0.0.0/0'", + "actualValue": "One of 'vpc_config.public_access_cidrs' is equal '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "EKS Cluster Has Public Access CIDRs", "severity": "MEDIUM", - "line": 30 + "line": 30, + "filename": "positive.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "without_example", + "searchKey": "aws_eks_cluster[positive2].vpc_config.public_access_cidrs", + "searchValue": "", + "expectedValue": "'vpc_config.public_access_cidrs' should exist", + "actualValue": "'vpc_config.public_access_cidrs' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/eks_cluster_log_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/eks_cluster_log_disabled/test/positive_expected_result.json index 5f09bd406dd..29a9efef712 100644 --- a/assets/queries/terraform/aws/eks_cluster_log_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/eks_cluster_log_disabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "EKS cluster logging is not enabled", "severity": "MEDIUM", "line": 6, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "example", + "searchKey": "aws_eks_cluster[positive1]", + "searchValue": "", + "expectedValue": "'enabled_cluster_log_types' should be defined and not null", + "actualValue": "'enabled_cluster_log_types' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/test/positive_expected_result.json index 56ceeded77b..c1bb19ff4ce 100644 --- a/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "EKS node group remote access disabled", "severity": "MEDIUM", "line": 13, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_eks_node_group", + "resourceName": "positive", + "searchKey": "aws_eks_node_group[positive].remote_access", + "searchValue": "", + "expectedValue": "'aws_eks_node_group[positive].remote_access.source_security_groups_ids' should be defined and not null", + "actualValue": "'aws_eks_node_group[positive].remote_access.source_security_groups_ids' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json index 21916a4ecf0..e9622391b50 100644 --- a/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "ElastiCache Nodes Not Created Across Multi AZ", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster-example", + "searchKey": "aws_elasticache_cluster[positive1]", + "searchValue": "", + "expectedValue": "'az_mode' should be set and must be 'cross-az' in multi nodes cluster", + "actualValue": "'az_mode' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache Nodes Not Created Across Multi AZ", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster-example", + "searchKey": "aws_elasticache_cluster[positive2].az_mode", + "searchValue": "", + "expectedValue": "'az_mode' should be 'cross-az' in multi nodes cluster", + "actualValue": "'az_mode' is 'single-az'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json index e6c9f8ed3cc..58d39fa68a4 100644 --- a/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "ElastiCache Redis Cluster Without Backup", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster", + "searchKey": "aws_elasticache_cluster[positive1]", + "searchValue": "", + "expectedValue": "'snapshot_retention_limit' should be higher than 0", + "actualValue": "'snapshot_retention_limit' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache Redis Cluster Without Backup", "severity": "MEDIUM", - "line": 16 + "line": 16, + "filename": "positive.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster", + "searchKey": "aws_elasticache_cluster[positive2].snapshot_retention_limit", + "searchValue": "", + "expectedValue": "'snapshot_retention_limit' should be higher than 0", + "actualValue": "'snapshot_retention_limit' is 0", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/test/positive_expected_result.json index 97de094b1b1..ace4bac44fa 100644 --- a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "ElastiCache Replication Group Not Encrypted At Rest", "severity": "HIGH", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_elasticache_replication_group", + "resourceName": "example", + "searchKey": "aws_elasticache_replication_group[example]", + "searchValue": "", + "expectedValue": "The attribute 'at_rest_encryption_enabled' should be set to true", + "actualValue": "The attribute 'at_rest_encryption_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache Replication Group Not Encrypted At Rest", "severity": "HIGH", "line": 9, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_elasticache_replication_group", + "resourceName": "example2", + "searchKey": "aws_elasticache_replication_group[example2].at_rest_encryption_enabled", + "searchValue": "", + "expectedValue": "The attribute 'at_rest_encryption_enabled' should be set to true", + "actualValue": "The attribute 'at_rest_encryption_enabled' is not set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/test/positive_expected_result.json index f12eb88b6db..7795b6cf7d9 100644 --- a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "ElastiCache Replication Group Not Encrypted At Transit", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_elasticache_replication_group", + "resourceName": "example", + "searchKey": "aws_elasticache_replication_group[example]", + "searchValue": "", + "expectedValue": "The attribute 'transit_encryption_enabled' should be set to true", + "actualValue": "The attribute 'transit_encryption_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache Replication Group Not Encrypted At Transit", "severity": "MEDIUM", "line": 9, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_elasticache_replication_group", + "resourceName": "example", + "searchKey": "aws_elasticache_replication_group[example].transit_encryption_enabled", + "searchValue": "", + "expectedValue": "The attribute 'transit_encryption_enabled' should be set to true", + "actualValue": "The attribute 'transit_encryption_enabled' is not set to true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/elasticache_using_default_port/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_using_default_port/test/positive_expected_result.json index c99229d5c61..25d0fc9c4d4 100644 --- a/assets/queries/terraform/aws/elasticache_using_default_port/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_using_default_port/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster", + "searchKey": "aws_elasticache_cluster[positive1]", + "searchValue": "", + "expectedValue": "aws_elasticache_cluster.port should be defined and not null", + "actualValue": "aws_elasticache_cluster.port is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster", + "searchKey": "aws_elasticache_cluster[positive2]", + "searchValue": "", + "expectedValue": "aws_elasticache_cluster.port should be defined and not null", + "actualValue": "aws_elasticache_cluster.port is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 7, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster", + "searchKey": "aws_elasticache_cluster[positive3].port", + "searchValue": "", + "expectedValue": "'port' should not be set to 6379", + "actualValue": "'port' is set to 6379", + "issueType": "IncorrectValue" }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 7, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster", + "searchKey": "aws_elasticache_cluster[positive2].port", + "searchValue": "", + "expectedValue": "'port' should not be set to 11211", + "actualValue": "'port' is set to 11211", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/elasticache_without_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_without_vpc/test/positive_expected_result.json index a1992dd7bdd..9adf79f6789 100644 --- a/assets/queries/terraform/aws/elasticache_without_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_without_vpc/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "ElastiCache Without VPC", - "severity": "LOW", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "ElastiCache Without VPC", + "severity": "LOW", + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster-example", + "searchKey": "aws_elasticache_cluster[positive1]", + "searchValue": "", + "expectedValue": "'aws_elasticache_cluster[positive1].subnet_group_name' should be defined and not null'", + "actualValue": "'aws_elasticache_cluster[positive1].subnet_group_name' is undefined or null", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json index 97643939504..5c5ee80c1aa 100644 --- a/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive1", + "searchKey": "aws_elasticsearch_domain[{{positive1}}]", + "searchValue": "", + "expectedValue": "The attribute 'node_to_node_encryption' should be set to true", + "actualValue": "The attribute 'node_to_node_encryption' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 14, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive1", + "searchKey": "aws_elasticsearch_domain[{{positive1}}].node_to_node_encryption.enabled", + "searchValue": "", + "expectedValue": "The attribute 'node_to_node_encryption' should be set to true", + "actualValue": "The attribute 'node_to_node_encryption' is not set to true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/test/positive_expected_result.json index 2b1845daf6d..16a879b2f9f 100644 --- a/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Elasticsearch Domain With Vulnerable Policy", "severity": "MEDIUM", "line": 18, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_elasticsearch_domain_policy", + "resourceName": "main", + "searchKey": "aws_elasticsearch_domain_policy[main].access_policies", + "searchValue": "", + "expectedValue": "aws_elasticsearch_domain_policy[main].access_policies should not have wildcard in 'Action' and 'Principal'", + "actualValue": "aws_elasticsearch_domain_policy[main].access_policies has wildcard in 'Action' or 'Principal'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/test/positive_expected_result.json index 35a08640780..0ef82a1157f 100644 --- a/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "ElasticSearch Encryption With KMS Disabled", "severity": "HIGH", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive1", + "searchKey": "aws_elasticsearch_domain[positive1].encrypt_at_rest", + "searchValue": "", + "expectedValue": "'aws_elasticsearch_domain[positive1].encrypt_at_rest.kms_key_id' should be set with encryption at rest", + "actualValue": "'aws_elasticsearch_domain[positive1].encrypt_at_rest.kms_key_id' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticsearch_logs_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_logs_disabled/test/positive_expected_result.json index a22034a740d..82e73a4e397 100644 --- a/assets/queries/terraform/aws/elasticsearch_logs_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_logs_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Elasticsearch Log Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive1", + "searchKey": "aws_elasticsearch_domain[{{positive1}}].log_publishing_options.enabled", + "searchValue": "", + "expectedValue": "'log_publishing_options.enabled' should be true", + "actualValue": "'log_publishing_options.enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "Elasticsearch Log Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive2", + "searchKey": "aws_elasticsearch_domain[{{positive2}}]", + "searchValue": "", + "expectedValue": "'log_publishing_options' should be defined and not null", + "actualValue": "'log_publishing_options' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json index 7a0f9115878..ca2f6bb233d 100644 --- a/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive1", + "searchKey": "aws_elasticsearch_domain[positive1]", + "searchValue": "", + "expectedValue": "'encrypt_at_rest' should be set and enabled", + "actualValue": "'encrypt_at_rest' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive2", + "searchKey": "aws_elasticsearch_domain[positive2].encrypt_at_rest.enabled", + "searchValue": "", + "expectedValue": "'encrypt_at_rest.enabled' should be true", + "actualValue": "'encrypt_at_rest.enabled' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json index 982f13b43ec..1e70b9a61a5 100644 --- a/assets/queries/terraform/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 27, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "my-elasticsearch-domain", + "searchKey": "aws_elasticsearch_domain[{{example}}]", + "searchValue": "", + "expectedValue": "The attribute 'enforce_https' should be set to 'true'", + "actualValue": "The attribute 'enforce_https' is set to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json index dd2e7e151b2..8b3880ce36b 100644 --- a/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Elasticsearch Without IAM Authentication", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "example", + "searchKey": "aws_elasticsearch_domain[example]", + "searchValue": "", + "expectedValue": "Elasticsearch Domain ensure IAM Authentication", + "actualValue": "Elasticsearch Domain does not ensure IAM Authentication", + "issueType": "IncorrectValue" }, { "queryName": "Elasticsearch Without IAM Authentication", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "example2", + "searchKey": "aws_elasticsearch_domain[example2]", + "searchValue": "", + "expectedValue": "Elasticsearch Domain ensure IAM Authentication", + "actualValue": "Elasticsearch Domain does not ensure IAM Authentication", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json index 023e30233ed..efc23241fc3 100644 --- a/assets/queries/terraform/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 4, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive1", + "searchKey": "aws_elasticsearch_domain[{{positive1}}].log_publishing_options.log_type", + "searchValue": "", + "expectedValue": "'log_publishing_options.log_type' should not be INDEX_SLOW_LOGS or SEARCH_SLOW_LOGS ", + "actualValue": "'log_publishing_options.enabled' is ES_APPLICATION_LOGS or AUDIT_LOGS", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elb_access_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elb_access_logging_disabled/test/positive_expected_result.json index 6c46eb0bbaf..369bf6309fb 100644 --- a/assets/queries/terraform/aws/elb_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elb_access_logging_disabled/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", "line": 9, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_elb", + "resourceName": "foobar-terraform-elb", + "searchKey": "aws_elb[{{postive1}}].access_logs.enabled", + "searchValue": "", + "expectedValue": "'aws_elb[{{postive1}}].access_logs.enabled' should be true", + "actualValue": "'aws_elb[{{postive1}}].access_logs.enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_elb", + "resourceName": "foobar-terraform-elb", + "searchKey": "aws_elb[{{postive2}}]", + "searchValue": "", + "expectedValue": "'aws_elb[{{postive2}}].access_logs' should be defined and not null", + "actualValue": "'aws_elb[{{postive2}}].access_logs' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", - "line": 39, - "filename": "positive4.tf" + "line": 1, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[elb_http]", + "searchValue": "", + "expectedValue": "'access_logs' should be defined and not null", + "actualValue": "'access_logs' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive3.tf" + "line": 39, + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[elb_http].access_logs.enabled", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be true", + "actualValue": "'access_logs.enabled' is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/elb_using_insecure_protocols/test/positive_expected_result.json b/assets/queries/terraform/aws/elb_using_insecure_protocols/test/positive_expected_result.json index d3475be6d2a..e761cdc0ab0 100644 --- a/assets/queries/terraform/aws/elb_using_insecure_protocols/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elb_using_insecure_protocols/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 41 + "line": 30, + "filename": "positive.tf", + "resourceType": "aws_load_balancer_policy", + "resourceName": "positive4", + "searchKey": "aws_load_balancer_policy[positive4].policy_attribute[1].name", + "searchValue": "", + "expectedValue": "'aws_load_balancer_policy[positive4].policy_attribute[Protocol-TLSv1]' should not be an insecure protocol", + "actualValue": "'aws_load_balancer_policy[positive4].policy_attribute[Protocol-TLSv1]' is an insecure protocol", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 30 + "line": 41, + "filename": "positive.tf", + "resourceType": "aws_load_balancer_policy", + "resourceName": "positive5", + "searchKey": "aws_load_balancer_policy[positive5].policy_attribute.name", + "searchValue": "", + "expectedValue": "'aws_load_balancer_policy[positive5].policy_attribute[Protocol-SSLv3]' should not be an insecure protocol", + "actualValue": "'aws_load_balancer_policy[positive5].policy_attribute[Protocol-SSLv3]' is an insecure protocol", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elb_using_weak_ciphers/test/positive_expected_result.json b/assets/queries/terraform/aws/elb_using_weak_ciphers/test/positive_expected_result.json index 7e31718727b..b68ab27569a 100644 --- a/assets/queries/terraform/aws/elb_using_weak_ciphers/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elb_using_weak_ciphers/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", - "line": 41 + "line": 41, + "filename": "positive.tf", + "resourceType": "aws_load_balancer_policy", + "resourceName": "positive4", + "searchKey": "aws_load_balancer_policy[positive4]", + "searchValue": "", + "expectedValue": "'aws_load_balancer_policy[positive4].policy_attribute[TLS_RSA_ARCFOUR_128_SHA1].name' should not be a weak cipher", + "actualValue": "'aws_load_balancer_policy[positive4].policy_attribute[TLS_RSA_ARCFOUR_128_SHA1].name' is a weak cipher", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", - "line": 63 + "line": 63, + "filename": "positive.tf", + "resourceType": "aws_load_balancer_policy", + "resourceName": "positive5", + "searchKey": "aws_load_balancer_policy[positive5].policy_attribute.name", + "searchValue": "", + "expectedValue": "'aws_load_balancer_policy[positive5].policy_attribute[DES-CBC3-SHA].name' should not be a weak cipher", + "actualValue": "'aws_load_balancer_policy[positive5].policy_attribute[DES-CBC3-SHA].name' is a weak cipher", + "issueType": "IncorrectValue" }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", - "line": 74 + "line": 74, + "filename": "positive.tf", + "resourceType": "aws_load_balancer_policy", + "resourceName": "positive6", + "searchKey": "aws_load_balancer_policy[positive6].policy_attribute.name", + "searchValue": "", + "expectedValue": "'aws_load_balancer_policy[positive6].policy_attribute[TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384].name' should not be a weak cipher", + "actualValue": "'aws_load_balancer_policy[positive6].policy_attribute[TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384].name' is a weak cipher", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/test/positive_expected_result.json index 585f9f8c48e..78277651a2c 100644 --- a/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "ELBv2 LB Access Log Disabled", "severity": "MEDIUM", "line": 13, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_lb", + "resourceName": "test-lb-tf", + "searchKey": "aws_lb[test].access_logs.enabled", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be defined and set to true", + "actualValue": "'access_logs.enabled' is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "ELBv2 LB Access Log Disabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_lb", + "resourceName": "test-lb-tf", + "searchKey": "aws_lb[test].access_logs", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be defined and set to true", + "actualValue": "'access_logs.enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELBv2 LB Access Log Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_lb", + "resourceName": "test-lb-tf", + "searchKey": "aws_lb[test]", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be defined and set to true", + "actualValue": "'access_logs' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELBv2 LB Access Log Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_alb", + "resourceName": "test-lb-tf", + "searchKey": "aws_alb[test].access_logs.enabled", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be defined and set to true", + "actualValue": "'access_logs.enabled' is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "ELBv2 LB Access Log Disabled", "severity": "MEDIUM", "line": 11, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_alb", + "resourceName": "test-lb-tf", + "searchKey": "aws_alb[test].access_logs", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be defined and set to true", + "actualValue": "'access_logs.enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "ELBv2 LB Access Log Disabled", "severity": "MEDIUM", "line": 2, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "aws_alb", + "resourceName": "test-lb-tf", + "searchKey": "aws_alb[test]", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be defined and set to true", + "actualValue": "'access_logs' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/emr_without_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/emr_without_vpc/test/positive_expected_result.json index c1fd09e9e54..8e1a25f0dbc 100644 --- a/assets/queries/terraform/aws/emr_without_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/emr_without_vpc/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "EMR Without VPC", - "severity": "LOW", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "EMR Without VPC", + "severity": "LOW", + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_emr_cluster", + "resourceName": "emr-test-arn", + "searchKey": "aws_emr_cluster[positive1]", + "searchValue": "", + "expectedValue": "'aws_emr_cluster[positive1].subnet_id' or 'aws_emr_cluster[positive1].subnet_ids' should be defined and not null'", + "actualValue": "'aws_emr_cluster[positive1].subnet_id' or 'aws_emr_cluster[positive1].subnet_ids' is undefined or null", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/test/positive_expected_result.json index 660a6a6953f..c88d9efcfa5 100644 --- a/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Global Accelerator Flow Logs Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_globalaccelerator_accelerator", + "resourceName": "Example", + "searchKey": "aws_globalaccelerator_accelerator[{{positive1}}]", + "searchValue": "", + "expectedValue": "aws_globalaccelerator_accelerator[{{positive1}}].flow_logs_enabled should be defined and not null", + "actualValue": "aws_globalaccelerator_accelerator[{{positive1}}].flow_logs_enabled is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Global Accelerator Flow Logs Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_globalaccelerator_accelerator", + "resourceName": "Example", + "searchKey": "aws_globalaccelerator_accelerator[{{positive2}}].attributes", + "searchValue": "", + "expectedValue": "aws_globalaccelerator_accelerator[{{positive2}}].flow_logs_enabled should be defined and not null", + "actualValue": "aws_globalaccelerator_accelerator[{{positive2}}].flow_logs_enabled is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Global Accelerator Flow Logs Disabled", "severity": "MEDIUM", "line": 7, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_globalaccelerator_accelerator", + "resourceName": "Example", + "searchKey": "aws_globalaccelerator_accelerator[{{positive3}}].attributes.flow_logs_enabled", + "searchValue": "", + "expectedValue": "aws_globalaccelerator_accelerator[{{positive3}}].flow_logs_enabled should be true", + "actualValue": "aws_globalaccelerator_accelerator[{{positive3}}].flow_logs_enabled is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/test/positive_expected_result.json index 053cddb8eb5..a0401343ce9 100644 --- a/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Glue Data Catalog Encryption Disabled", "severity": "HIGH", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_glue_data_catalog_encryption_settings", + "resourceName": "positive1", + "searchKey": "aws_glue_data_catalog_encryption_settings[positive1].data_catalog_encryption_settings.connection_password_encryption.return_connection_password_encrypted", + "searchValue": "", + "expectedValue": "'return_connection_password_encrypted' should be set to true", + "actualValue": "'return_connection_password_encrypted' is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "Glue Data Catalog Encryption Disabled", "severity": "HIGH", "line": 3, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_glue_data_catalog_encryption_settings", + "resourceName": "positive2", + "searchKey": "aws_glue_data_catalog_encryption_settings[positive2].data_catalog_encryption_settings.connection_password_encryption", + "searchValue": "", + "expectedValue": "'aws_kms_key_id' should be defined and not null", + "actualValue": "'aws_kms_key_id' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Glue Data Catalog Encryption Disabled", "severity": "HIGH", "line": 9, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_glue_data_catalog_encryption_settings", + "resourceName": "positive3", + "searchKey": "aws_glue_data_catalog_encryption_settings[positive3].data_catalog_encryption_settings.encryption_at_rest.catalog_encryption_mode", + "searchValue": "", + "expectedValue": "'catalog_encryption_mode' should be set to 'SSE-KMS'", + "actualValue": "'catalog_encryption_mode' is not set to 'SSE-KMS'", + "issueType": "IncorrectValue" }, { "queryName": "Glue Data Catalog Encryption Disabled", "severity": "HIGH", "line": 8, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_glue_data_catalog_encryption_settings", + "resourceName": "positive4", + "searchKey": "aws_glue_data_catalog_encryption_settings[positive4].data_catalog_encryption_settings.encryption_at_rest", + "searchValue": "", + "expectedValue": "'sse_aws_kms_key_id' should be defined and not null", + "actualValue": "'sse_aws_kms_key_id' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json index 99f94932214..2cdbff2cc14 100644 --- a/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Glue Security Configuration Encryption Disabled", "severity": "HIGH", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_glue_security_configuration", + "resourceName": "example", + "searchKey": "aws_glue_security_configuration[positive1].encryption_configuration.cloudwatch_encryption", + "searchValue": "", + "expectedValue": "aws_glue_security_configuration[positive1].encryption_configuration.cloudwatch_encryption has 'kms_key_arn' defined and not null", + "actualValue": "aws_glue_security_configuration[positive1].encryption_configuration.cloudwatch_encryption has 'kms_key_arn' undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Glue Security Configuration Encryption Disabled", "severity": "HIGH", "line": 11, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_glue_security_configuration", + "resourceName": "example", + "searchKey": "aws_glue_security_configuration[positive2].encryption_configuration.job_bookmarks_encryption.job_bookmarks_encryption_mode", + "searchValue": "", + "expectedValue": "'job_bookmarks_encryption_mode' should be set to 'CSE-KMS'", + "actualValue": "'job_bookmarks_encryption_mode' is not set to 'CSE-KMS'", + "issueType": "IncorrectValue" }, { "queryName": "Glue Security Configuration Encryption Disabled", "severity": "HIGH", "line": 10, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_glue_security_configuration", + "resourceName": "example", + "searchKey": "aws_glue_security_configuration[positive2].job_bookmarks_encryption", + "searchValue": "", + "expectedValue": "aws_glue_security_configuration[positive2].job_bookmarks_encryption has 'job_bookmarks_encryption_mode' defined and not null", + "actualValue": "aws_glue_security_configKeyiguration[positive2].job_bookmarks_encryption has 'job_bookmarks_encryption_mode' undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/glue_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/glue_with_vulnerable_policy/test/positive_expected_result.json index 60c40b691d5..b0349b72111 100644 --- a/assets/queries/terraform/aws/glue_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/glue_with_vulnerable_policy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Glue With Vulnerable Policy", "severity": "MEDIUM", "line": 15, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_glue_resource_policy", + "resourceName": "example", + "searchKey": "aws_glue_resource_policy[example].policy", + "searchValue": "", + "expectedValue": "aws_glue_resource_policy[example].policy should not have wildcard in 'principals' and 'actions'", + "actualValue": "aws_glue_resource_policy[example].policy has wildcard in 'principals' or 'actions'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json index 767d9dbbb2a..a6bf1dd3d95 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json index dca2ecc1114..e072f39bb08 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:AddUserToGroup'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic should not be associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json index 3c3fd030c44..8646fae9957 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json index 1e87698084e..b1b55f66035 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic should not be associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json index 528dfaa32ea..3fad1f6b9f0 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json index 96eba745bcc..a3f3c06f407 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:CreateAccessKey'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic should not be associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json index 423c580bd76..80e7c9dc8f2 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json index b08389ad245..657f71c3db1 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json index e012e5db9e4..42c03a36a7a 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json index e269c9d79e7..780eea30dcb 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json index 03396830fe3..ee7929dc132 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json index 3a5cbe039fe..e3589e480c8 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json index e9e97ad162b..366e28e0ee1 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json index a989eecfd2a..e6391d89f46 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:PutRolePolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic should not be associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json index 490028dfcbc..9d6c80d0b00 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:PutUserPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic should not be associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json index 891da8391d0..7e190815b66 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json index d94146558e8..b40a1fcf201 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json index 550cd399885..1edd6a7e705 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json index 87b739574ab..ffa0c9e766c 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/guardduty_detector_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/guardduty_detector_disabled/test/positive_expected_result.json index 2908de223bb..fcac8237ca3 100644 --- a/assets/queries/terraform/aws/guardduty_detector_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/guardduty_detector_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "GuardDuty Detector Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.tf", + "resourceType": "aws_guardduty_detector", + "resourceName": "positive1", + "searchKey": "aws_guardduty_detector[positive1].enable", + "searchValue": "", + "expectedValue": "GuardDuty Detector should be Enabled", + "actualValue": "GuardDuty Detector is not Enabled", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json b/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json index 7cfc634073e..de93c7c26df 100644 --- a/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json @@ -2,13 +2,27 @@ { "queryName": "Hardcoded AWS Access Key", "severity": "HIGH", - "line": 5, - "fileName": "positive2.tf" + "line": 13, + "filename": "positive1.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance].user_data", + "searchValue": "", + "expectedValue": "'user_data' shouldn't contain hardcoded access key", + "actualValue": "'user_data' contains hardcoded access key", + "issueType": "IncorrectValue" }, { "queryName": "Hardcoded AWS Access Key", "severity": "HIGH", - "line": 13, - "fileName": "positive1.tf" + "line": 5, + "filename": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance[positive1].user_data", + "searchValue": "", + "expectedValue": "'user_data' shouldn't contain hardcoded access key", + "actualValue": "'user_data' contains hardcoded access key", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json b/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json index f633fc224fd..8dd54f1be2b 100644 --- a/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json @@ -2,13 +2,27 @@ { "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", - "line": 57, - "fileName": "positive.tf" + "line": 36, + "filename": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "positive2", + "searchKey": "aws_lambda_function[positive2].environment.variables.foo", + "searchValue": "", + "expectedValue": "'environment.variables' shouldn't contain AWS Access Key", + "actualValue": "'environment.variables' contains AWS Access Key", + "issueType": "IncorrectValue" }, { "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", - "line": 36, - "fileName": "positive.tf" + "line": 57, + "filename": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "positive3", + "searchKey": "aws_lambda_function[positive3].environment.variables.foo", + "searchValue": "", + "expectedValue": "'environment.variables' shouldn't contain AWS Access Key", + "actualValue": "'environment.variables' contains AWS Access Key", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json b/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json index 2fcdca8b230..37742d592c8 100644 --- a/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json @@ -3,102 +3,221 @@ "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-1].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-1].ingress should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-1].ingress opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 26, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-2].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-2].ingress[1] should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-2].ingress[1] opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 39, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-3].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-3].ingress should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-3].ingress opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 60, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-4].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-4].ingress[1] should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-4].ingress[1] opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 73, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-5].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-5].ingress should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-5].ingress opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 87, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-6].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-6].ingress should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-6].ingress opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 101, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-7].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-7].ingress should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-7].ingress opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] should not open the HTTP port (80)", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 17, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] should not open the HTTP port (80)", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 7, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-1] should not open the HTTP port (80)", + "actualValue": "aws_security_group_rule[positive3-1] opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 17, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-2", + "searchKey": "aws_security_group_rule[positive3-2]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-2] should not open the HTTP port (80)", + "actualValue": "aws_security_group_rule[positive3-2] opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 11, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 30, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 49, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 63, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 82, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 opens the HTTP port (80)", + "issueType": "IncorrectValue" }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 96, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 opens the HTTP port (80)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json index 9ffd7769e25..3f90f19af1e 100644 --- a/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "IAM Access Analyzer Not Enabled", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "'aws_accessanalyzer_analyzer' should be set", + "actualValue": "'aws_accessanalyzer_analyzer' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM Access Analyzer Not Enabled", "severity": "LOW", "line": 6, - "fileName": "positive2.json" + "filename": "positive2.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "'aws_accessanalyzer_analyzer' should be set", + "actualValue": "'aws_accessanalyzer_analyzer' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/iam_access_key_is_exposed/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_access_key_is_exposed/test/positive_expected_result.json index 5cd10b3b788..f8db9043450 100644 --- a/assets/queries/terraform/aws/iam_access_key_is_exposed/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_access_key_is_exposed/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ - { - "queryName": "IAM Access Key Is Exposed", - "severity": "MEDIUM", - "line": 2 - }, - { - "queryName": "IAM Access Key Is Exposed", - "severity": "MEDIUM", - "line": 7 - } + { + "queryName": "IAM Access Key Is Exposed", + "severity": "MEDIUM", + "line": 2, + "filename": "positive.tf", + "resourceType": "aws_iam_access_key", + "resourceName": "positive1", + "searchKey": "aws_iam_access_key[positive1].user", + "searchValue": "", + "expectedValue": "'aws_iam_access_key[positive1].user' should not be 'root' for an active access key", + "actualValue": "'aws_iam_access_key[positive1].user' is 'root' for an active access key", + "issueType": "IncorrectValue" + }, + { + "queryName": "IAM Access Key Is Exposed", + "severity": "MEDIUM", + "line": 7, + "filename": "positive.tf", + "resourceType": "aws_iam_access_key", + "resourceName": "positive2", + "searchKey": "aws_iam_access_key[positive2].user", + "searchValue": "", + "expectedValue": "'aws_iam_access_key[positive2].user' should not be 'root' for an active access key", + "actualValue": "'aws_iam_access_key[positive2].user' is 'root' for an active access key", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/aws/iam_database_auth_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_database_auth_not_enabled/test/positive_expected_result.json index be5ed3840b6..832d5d6b85b 100644 --- a/assets/queries/terraform/aws/iam_database_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_database_auth_not_enabled/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 17, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json index 9e6e6fe4df8..5b3adfb3cc1 100644 --- a/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json @@ -3,120 +3,260 @@ "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive1", + "searchKey": "aws_rds_cluster[positive1].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive10.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "example_postgres", + "searchKey": "aws_rds_cluster[example_postgres]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive3.tf" + "line": 10, + "filename": "positive11.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 8, - "fileName": "positive4.tf" + "line": 1, + "filename": "positive12.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive5.tf" + "line": 1, + "filename": "positive13.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive6.tf" + "line": 8, + "filename": "positive14.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive7.tf" + "filename": "positive15.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive8.tf" + "filename": "positive16.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive9.tf" + "line": 10, + "filename": "positive17.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive10.tf" + "filename": "positive18.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 10, - "fileName": "positive11.tf" + "line": 9, + "filename": "positive19.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive12.tf" + "filename": "positive2.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive2", + "searchKey": "aws_rds_cluster[positive2]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive13.tf" + "filename": "positive20.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "IAM DB Cluster Auth Not Enabled", + "severity": "MEDIUM", + "line": 1, + "filename": "positive3.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive3", + "searchKey": "aws_rds_cluster[positive3]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive14.tf" + "filename": "positive4.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive4", + "searchKey": "aws_rds_cluster[positive4].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", - "line": 10, - "fileName": "positive15.tf" + "line": 9, + "filename": "positive5.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive5", + "searchKey": "aws_rds_cluster[positive5].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive16.tf" + "filename": "positive6.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive6", + "searchKey": "aws_rds_cluster[positive6]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive17.tf" + "filename": "positive7.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "example_postgres", + "searchKey": "aws_rds_cluster[example_postgres].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive18.tf" + "filename": "positive8.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "example_postgres", + "searchKey": "aws_rds_cluster[example_postgres]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive19.tf" - }, - { - "queryName": "IAM DB Cluster Auth Not Enabled", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive20.tf" + "filename": "positive9.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "example_postgres", + "searchKey": "aws_rds_cluster[example_postgres].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_group_without_users/test/positive2/positive_expected_result.json b/assets/queries/terraform/aws/iam_group_without_users/test/positive2/positive_expected_result.json index 9694db417c6..675439f08cd 100644 --- a/assets/queries/terraform/aws/iam_group_without_users/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_group_without_users/test/positive2/positive_expected_result.json @@ -2,13 +2,27 @@ { "queryName": "IAM Group Without Users", "severity": "MEDIUM", - "fileName": "positive2_1.tf", - "line": 1 + "line": 1, + "filename": "positive2_1.tf", + "resourceType": "aws_iam_group", + "resourceName": "test-group", + "searchKey": "aws_iam_group[group2]", + "searchValue": "", + "expectedValue": "aws_iam_group[group2] should be associated with an aws_iam_group_membership that has at least one user set", + "actualValue": "aws_iam_group[group2] is not associated with an aws_iam_group_membership that has at least one user set", + "issueType": "MissingAttribute" }, { "queryName": "IAM Group Without Users", "severity": "MEDIUM", - "fileName": "positive2_1.tf", - "line": 5 + "line": 5, + "filename": "positive2_1.tf", + "resourceType": "aws_iam_group", + "resourceName": "test-group", + "searchKey": "aws_iam_group[group3]", + "searchValue": "", + "expectedValue": "aws_iam_group[group3] should be associated with an aws_iam_group_membership that has at least one user set", + "actualValue": "aws_iam_group[group3] is not associated with an aws_iam_group_membership that has at least one user set", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json index 88912a3df2c..464a0b09f4d 100644 --- a/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json @@ -2,13 +2,27 @@ { "queryName": "IAM Group Without Users", "severity": "MEDIUM", - "fileName": "positive1.tf", - "line": 12 + "line": 12, + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "test-group", + "searchKey": "aws_iam_group[group2]", + "searchValue": "", + "expectedValue": "aws_iam_group[group2] should be associated with an aws_iam_group_membership that has at least one user set", + "actualValue": "aws_iam_group[group2] is not associated with an aws_iam_group_membership that has at least one user set", + "issueType": "MissingAttribute" }, { "queryName": "IAM Group Without Users", "severity": "MEDIUM", - "fileName": "positive1.tf", - "line": 33 + "line": 33, + "filename": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "test-group", + "searchKey": "aws_iam_group[group3]", + "searchValue": "", + "expectedValue": "aws_iam_group[group3] should be associated with an aws_iam_group_membership that has at least one user set", + "actualValue": "aws_iam_group[group3] is not associated with an aws_iam_group_membership that has at least one user set", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/iam_password_without_minimum_length/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_password_without_minimum_length/test/positive_expected_result.json index fe66c904973..95fab2573d6 100644 --- a/assets/queries/terraform/aws/iam_password_without_minimum_length/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_password_without_minimum_length/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_iam_account_password_policy", + "resourceName": "positive1", + "searchKey": "aws_iam_account_password_policy[positive1]", + "searchValue": "", + "expectedValue": "'minimum_password_length' should be set and no less than 14", + "actualValue": "'minimum_password_length' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", - "line": 10 + "line": 10, + "filename": "positive.tf", + "resourceType": "aws_iam_account_password_policy", + "resourceName": "positive2", + "searchKey": "aws_iam_account_password_policy[positive2].minimum_password_length", + "searchValue": "", + "expectedValue": "'minimum_password_length' should be set and no less than 14", + "actualValue": "'minimum_password_length' is less than 14", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_policies_attached_to_user/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policies_attached_to_user/test/positive_expected_result.json index 4d1f265f81a..fb75fab87aa 100755 --- a/assets/queries/terraform/aws/iam_policies_attached_to_user/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policies_attached_to_user/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", "line": 18, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_policy_attachment", + "resourceName": "excess_policy", + "searchKey": "aws_iam_policy_attachment[{{positive1_3}}].users", + "searchValue": "", + "expectedValue": "'users' is redundant", + "actualValue": "'users' exists", + "issueType": "RedundantAttribute" }, { "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", "line": 18, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "excess_policy", + "searchKey": "aws_iam_user_policy[{{positive2_3}}].user", + "searchValue": "", + "expectedValue": "'user' is redundant", + "actualValue": "'user' exists", + "issueType": "RedundantAttribute" }, { "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", "line": 27, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_iam_user_policy_attachment", + "resourceName": "test-attach", + "searchKey": "aws_iam_user_policy_attachment[{{test-attach}}].user", + "searchValue": "", + "expectedValue": "'user' is redundant", + "actualValue": "'user' exists", + "issueType": "RedundantAttribute" } ] diff --git a/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json index 3c68baf6f98..413010fdac4 100644 --- a/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json @@ -3,72 +3,156 @@ "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role_policy", + "resourceName": "apigateway-cloudwatch-logging", + "searchKey": "aws_iam_role_policy[positive1].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 20, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "example", + "searchKey": "aws_iam_policy_document[example].statement", + "searchValue": "", + "expectedValue": "'statement.actions' shouldn't contain '*' or 'iam:*'", + "actualValue": "'statement.actions' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 13, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "example", + "searchKey": "aws_iam_policy_document[example].statement[1]", + "searchValue": "", + "expectedValue": "'statement.actions' shouldn't contain '*' or 'iam:*'", + "actualValue": "'statement.actions' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 24, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "example", + "searchKey": "aws_iam_policy_document[example].statement[2]", + "searchValue": "", + "expectedValue": "'statement.actions' shouldn't contain '*' or 'iam:*'", + "actualValue": "'statement.actions' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 5, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_iam_role_policy", + "resourceName": "apigateway-cloudwatch-logging", + "searchKey": "aws_iam_role_policy[positive3].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 20, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "example", + "searchKey": "aws_iam_policy_document[example].statement", + "searchValue": "", + "expectedValue": "'statement.actions' shouldn't contain '*' or 'iam:*'", + "actualValue": "'statement.actions' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 4, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "test", + "searchKey": "aws_iam_user_policy[positive4-1].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 21, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "test", + "searchKey": "aws_iam_user_policy[positive4-2].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 4, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_iam_group_policy", + "resourceName": "my_developer_policy", + "searchKey": "aws_iam_group_policy[positive5-1].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 21, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_iam_group_policy", + "resourceName": "my_developer_policy", + "searchKey": "aws_iam_group_policy[positive5-2].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 2, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive6-1", + "searchKey": "aws_iam_policy[positive6-1].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 17, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive6-2", + "searchKey": "aws_iam_policy[positive6-2].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json index 15320368fd3..33272fffaf4 100644 --- a/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json @@ -3,78 +3,169 @@ "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive1_${var.environment}", + "searchKey": "aws_iam_policy[positive1].policy", + "searchValue": "ssm:GetParameters, ssm:GetParameter, s3:GetObject, ssm:GetParametersByPath, secretsmanager:GetSecretValue", + "expectedValue": "'positive1.policy.Statement.Action[1]' shouldn't contain illegal actions", + "actualValue": "'positive1.policy.Statement.Action[1]' contains [ssm:GetParameters, ssm:GetParameter, s3:GetObject, ssm:GetParametersByPath, secretsmanager:GetSecretValue]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive1_${var.environment}", + "searchKey": "aws_iam_policy[positive1].policy", + "searchValue": "secretsmanager:GetSecretValue", + "expectedValue": "'positive1.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'positive1.policy.Statement.Action[0]' contains [secretsmanager:GetSecretValue]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 4, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive2", + "searchKey": "aws_iam_policy[positive2].policy", + "searchValue": "*", + "expectedValue": "'positive2.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'positive2.policy.Statement.Action[0]' contains [*]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_iam_group_policy", + "resourceName": "positive3_${var.environment}", + "searchKey": "aws_iam_group_policy[positive3].policy", + "searchValue": "*", + "expectedValue": "'positive3.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'positive3.policy.Statement.Action[0]' contains [*]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_iam_group_policy", + "resourceName": "positive3_${var.environment}", + "searchKey": "aws_iam_group_policy[positive3].policy", + "searchValue": "*", + "expectedValue": "'positive3.policy.Statement.Action[1]' shouldn't contain illegal actions", + "actualValue": "'positive3.policy.Statement.Action[1]' contains [*]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "positive4_${var.environment}", + "searchKey": "aws_iam_user_policy[positive4].policy", + "searchValue": "s3:GetObject", + "expectedValue": "'positive4.policy.Statement.Action[1]' shouldn't contain illegal actions", + "actualValue": "'positive4.policy.Statement.Action[1]' contains [s3:GetObject]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "positive4_${var.environment}", + "searchKey": "aws_iam_user_policy[positive4].policy", + "searchValue": "s3:GetObject", + "expectedValue": "'positive4.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'positive4.policy.Statement.Action[0]' contains [s3:GetObject]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_iam_role_policy", + "resourceName": "positive5_${var.environment}", + "searchKey": "aws_iam_role_policy[positive5].policy", + "searchValue": "ssm:GetParameters", + "expectedValue": "'positive5.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'positive5.policy.Statement.Action[0]' contains [ssm:GetParameters]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_iam_role_policy", + "resourceName": "positive5_${var.environment}", + "searchKey": "aws_iam_role_policy[positive5].policy", + "searchValue": "ssm:GetParameters", + "expectedValue": "'positive5.policy.Statement.Action[1]' shouldn't contain illegal actions", + "actualValue": "'positive5.policy.Statement.Action[1]' contains [ssm:GetParameters]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "positive6", + "searchKey": "aws_iam_policy_document[positive6].statement.actions", + "searchValue": "s3:GetObject, ssm:GetParameter, ssm:GetParameters, ssm:GetParametersByPath, secretsmanager:GetSecretValue, *, s3:*", + "expectedValue": "'aws_iam_policy_document[positive6].statement.actions' shouldn't contain illegal actions", + "actualValue": "'aws_iam_policy_document[positive6].statement.actions' contains [s3:GetObject, ssm:GetParameter, ssm:GetParameters, ssm:GetParametersByPath, secretsmanager:GetSecretValue, *, s3:*]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 22, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "positive6_array", + "searchKey": "aws_iam_policy_document[positive6_array].statement[0].actions", + "searchValue": "s3:GetObject", + "expectedValue": "'aws_iam_policy_document[positive6_array].statement[0].actions' shouldn't contain illegal actions", + "actualValue": "'aws_iam_policy_document[positive6_array].statement[0].actions' contains [s3:GetObject]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 30, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "positive6_array", + "searchKey": "aws_iam_policy_document[positive6_array].statement[1].actions", + "searchValue": "*", + "expectedValue": "'aws_iam_policy_document[positive6_array].statement[1].actions' shouldn't contain illegal actions", + "actualValue": "'aws_iam_policy_document[positive6_array].statement[1].actions' contains [*]", + "issueType": "IncorrectValue" }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 8, - "fileName": "positive7.tf" + "filename": "positive7.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "iam_policy.policy", + "searchValue": "secretsmanager:GetSecretValue", + "expectedValue": "'iam_policy.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'iam_policy.policy.Statement.Action[0]' contains [secretsmanager:GetSecretValue]", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json index ceff30e7ae2..cc7624765a0 100644 --- a/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "IAM Policy Grants 'AssumeRole' Permission Across All Services", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "aws_iam_role", + "resourceName": "${var.name_tag_prefix}-openshift-instance-role", + "searchKey": "aws_iam_role[positive1].assume_role_policy", + "searchValue": "", + "expectedValue": "'assume_role_policy.Statement.Principal' shouldn't contain '*'", + "actualValue": "'assume_role_policy.Statement.Principal' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policy Grants 'AssumeRole' Permission Across All Services", "severity": "MEDIUM", - "line": 70 + "line": 70, + "filename": "positive.tf", + "resourceType": "aws_iam_role", + "resourceName": "${var.name_tag_prefix}-openshift-instance-role", + "searchKey": "aws_iam_role[positive2].assume_role_policy", + "searchValue": "", + "expectedValue": "'assume_role_policy.Statement.Principal' shouldn't contain '*'", + "actualValue": "'assume_role_policy.Statement.Principal' contains '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json index 8a981228a0e..bf1c6f00550 100644 --- a/assets/queries/terraform/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", "line": 20, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "excess_policy", + "searchKey": "aws_iam_user_policy[positive3].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Resource' and 'policy.Statement.Action' should not equal '*'", + "actualValue": "'policy.Statement.Resource' and 'policy.Statement.Action' are equal to '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", "line": 3, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_iam_policy", + "resourceName": "s3-permission", + "searchKey": "aws_iam_policy[s3-permission].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Resource' and 'policy.Statement.Action' should not equal '*'", + "actualValue": "'policy.Statement.Resource' and 'policy.Statement.Action' are equal to '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", "line": 12, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "example-0", + "searchKey": "aws_iam_policy_document[example-0]", + "searchValue": "", + "expectedValue": "'statement.resources' and 'statement.actions' should not contain '*'", + "actualValue": "'statement.resources' and 'statement.actions' contain '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", "line": 38, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "example-1", + "searchKey": "aws_iam_policy_document[example-1]", + "searchValue": "", + "expectedValue": "'statement.resources' and 'statement.actions' should not contain '*'", + "actualValue": "'statement.resources' and 'statement.actions' contain '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", "line": 64, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "example-2", + "searchKey": "aws_iam_policy_document[example-2]", + "searchValue": "", + "expectedValue": "'statement.resources' and 'statement.actions' should not contain '*'", + "actualValue": "'statement.resources' and 'statement.actions' contain '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json index cd0a7ead479..ef2db9cee20 100644 --- a/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "IAM Role Allows All Principals To Assume", "severity": "MEDIUM", - "line": 37 + "line": 37, + "filename": "positive.tf", + "resourceType": "aws_iam_role", + "resourceName": "${var.name_tag_prefix}-openshift-instance-forward-logs", + "searchKey": "aws_iam_role[positive2].assume_role_policy.Principal.AWS", + "searchValue": "", + "expectedValue": "'assume_role_policy.Statement.Principal.AWS' should not contain ':root'", + "actualValue": "'assume_role_policy.Statement.Principal.AWS' contains ':root'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/test/positive_expected_result.json index 08ff9253edb..55434ce8013 100644 --- a/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "IAM Role Policy passRole Allows All", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role_policy", + "resourceName": "test_policy", + "searchKey": "aws_iam_role_policy[test_policy].policy", + "searchValue": "", + "expectedValue": "'aws_iam_role_policy.policy.Statement.Action' iam:passrole shouldn't have Resource '*'", + "actualValue": "'aws_iam_role_policy.policy.Statement.Action' iam:passrole has Resource '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/iam_role_with_full_privileges/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_role_with_full_privileges/test/positive_expected_result.json index 9382f8cea04..1d6f981cae2 100644 --- a/assets/queries/terraform/aws/iam_role_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_role_with_full_privileges/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "IAM Role With Full Privileges", "severity": "HIGH", - "line": 4 + "line": 4, + "filename": "positive.tf", + "resourceType": "aws_iam_role", + "resourceName": "test_role", + "searchKey": "aws_iam_role[positive1].assume_role_policy", + "searchValue": "", + "expectedValue": "assume_role_policy.Statement.Action should not equal to, nor contain '*'", + "actualValue": "assume_role_policy.Statement.Action is equal to or contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Role With Full Privileges", "severity": "HIGH", - "line": 29 + "line": 29, + "filename": "positive.tf", + "resourceType": "aws_iam_role", + "resourceName": "test_role2", + "searchKey": "aws_iam_role[positive2].assume_role_policy", + "searchValue": "", + "expectedValue": "assume_role_policy.Statement.Action should not equal to, nor contain '*'", + "actualValue": "assume_role_policy.Statement.Action is equal to or contains '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/iam_user_policy_without_mfa/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_user_policy_without_mfa/test/positive_expected_result.json index 9aeb404ff39..9d4227b6086 100644 --- a/assets/queries/terraform/aws/iam_user_policy_without_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_user_policy_without_mfa/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "IAM User Policy Without MFA", "severity": "LOW", - "line": 18 + "line": 18, + "filename": "positive.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "test", + "searchKey": "aws_iam_user_policy[positive3].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Principal.AWS' should contain ':mfa/' or 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' should be set to true", + "actualValue": "'policy.Statement.Principal.AWS' doesn't contain ':mfa/' or 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_user_too_many_access_keys/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_user_too_many_access_keys/test/positive_expected_result.json index ff82e6a3810..5a376648e5f 100644 --- a/assets/queries/terraform/aws/iam_user_too_many_access_keys/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_user_too_many_access_keys/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "IAM User Has Too Many Access Keys", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.tf", + "resourceType": "aws_iam_access_key", + "resourceName": "positive1", + "searchKey": "aws_iam_access_key[positive1].user", + "searchValue": "", + "expectedValue": "One Access Key associated with the same IAM User", + "actualValue": "More than one Access Key associated with the same IAM User", + "issueType": "IncorrectValue" }, { "queryName": "IAM User Has Too Many Access Keys", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "aws_iam_access_key", + "resourceName": "positive2", + "searchKey": "aws_iam_access_key[positive2].user", + "searchValue": "", + "expectedValue": "One Access Key associated with the same IAM User", + "actualValue": "More than one Access Key associated with the same IAM User", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/iam_user_with_access_to_console/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_user_with_access_to_console/test/positive_expected_result.json index 80c7bbe8b3e..b31828a5d33 100644 --- a/assets/queries/terraform/aws/iam_user_with_access_to_console/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_user_with_access_to_console/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "IAM User With Access To Console", "severity": "MEDIUM", "line": 2, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user_login_profile", + "resourceName": "example_login", + "searchKey": "aws_iam_user.example.name", + "searchValue": "", + "expectedValue": "aws_iam_user.example.name shouldn't have aws_iam_user_login_profile", + "actualValue": "aws_iam_user.example.name has aws_iam_user_login_profile", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json b/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json index 43fdf288455..e5ac24fc395 100644 --- a/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json @@ -1,152 +1,327 @@ [ - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive1.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 19, - "fileName": "positive1.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 28, - "fileName": "positive1.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 11, - "fileName": "positive2.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 21, - "fileName": "positive2.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 31, - "fileName": "positive2.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 9, - "fileName": "positive3.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 18, - "fileName": "positive3.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 27, - "fileName": "positive3.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 5, - "fileName": "positive4.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive4.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 15, - "fileName": "positive4.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 9, - "fileName": "positive5.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 18, - "fileName": "positive5.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 27, - "fileName": "positive5.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive6.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 19, - "fileName": "positive6.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 11, - "fileName": "positive7.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 21, - "fileName": "positive7.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 9, - "fileName": "positive8.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 18, - "fileName": "positive8.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 5, - "fileName": "positive9.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 13, - "fileName": "positive9.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 9, - "fileName": "positive10.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 18, - "fileName": "positive10.tf" - } + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "positive1_1", + "searchKey": "aws_instance[positive1_1].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_instance[positive1_1].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_instance[positive1_1].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 19, + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "positive1_2", + "searchKey": "aws_launch_configuration[positive1_2].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_launch_configuration[positive1_2].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_configuration[positive1_2].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 28, + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "positive1_3", + "searchKey": "aws_launch_template[positive1_3].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_launch_template[positive1_3].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_template[positive1_3].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 9, + "filename": "positive10.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive10_instance].metadata_options", + "searchValue": "", + "expectedValue": "'module[positive10_instance].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive10_instance].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 18, + "filename": "positive10.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive10_launch_config].metadata_options", + "searchValue": "", + "expectedValue": "'module[positive10_launch_config].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive10_launch_config].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 11, + "filename": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "positive2_1", + "searchKey": "aws_instance[positive2_1].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_instance[positive2_1].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_instance[positive2_1].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 21, + "filename": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "positive2_2", + "searchKey": "aws_launch_configuration[positive2_2].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_launch_configuration[positive2_2].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_configuration[positive2_2].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 31, + "filename": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "positive2_3", + "searchKey": "aws_launch_template[positive2_3].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_launch_template[positive2_3].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_template[positive2_3].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 9, + "filename": "positive3.tf", + "resourceType": "aws_instance", + "resourceName": "positive3_1", + "searchKey": "aws_instance[positive3_1].metadata_options", + "searchValue": "", + "expectedValue": "'aws_instance[positive3_1].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_instance[positive3_1].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 18, + "filename": "positive3.tf", + "resourceType": "aws_instance", + "resourceName": "positive3_2", + "searchKey": "aws_launch_configuration[positive3_2].metadata_options", + "searchValue": "", + "expectedValue": "'aws_launch_configuration[positive3_2].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_configuration[positive3_2].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 27, + "filename": "positive3.tf", + "resourceType": "aws_instance", + "resourceName": "positive3_3", + "searchKey": "aws_launch_template[positive3_3].metadata_options", + "searchValue": "", + "expectedValue": "'aws_launch_template[positive3_3].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_template[positive3_3].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 5, + "filename": "positive4.tf", + "resourceType": "aws_instance", + "resourceName": "positive4_1", + "searchKey": "aws_instance[positive4_1]", + "searchValue": "", + "expectedValue": "'aws_instance[positive4_1].metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'aws_instance[positive4_1].metadata_options' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "filename": "positive4.tf", + "resourceType": "aws_instance", + "resourceName": "positive4_2", + "searchKey": "aws_launch_configuration[positive4_2]", + "searchValue": "", + "expectedValue": "'aws_launch_configuration[positive4_2].metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'aws_launch_configuration[positive4_2].metadata_options' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 15, + "filename": "positive4.tf", + "resourceType": "aws_instance", + "resourceName": "positive4_3", + "searchKey": "aws_launch_template[positive4_3]", + "searchValue": "", + "expectedValue": "'aws_launch_template[positive4_3].metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'aws_launch_template[positive4_3].metadata_options' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 9, + "filename": "positive5.tf", + "resourceType": "aws_instance", + "resourceName": "positive5_1", + "searchKey": "aws_instance[positive5_1].metadata_options", + "searchValue": "", + "expectedValue": "'aws_instance[positive5_1].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_instance[positive5_1].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 18, + "filename": "positive5.tf", + "resourceType": "aws_instance", + "resourceName": "positive5_2", + "searchKey": "aws_launch_configuration[positive5_2].metadata_options", + "searchValue": "", + "expectedValue": "'aws_launch_configuration[positive5_2].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_configuration[positive5_2].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 27, + "filename": "positive5.tf", + "resourceType": "aws_instance", + "resourceName": "positive5_3", + "searchKey": "aws_launch_template[positive5_3].metadata_options", + "searchValue": "", + "expectedValue": "'aws_launch_template[positive5_3].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_template[positive5_3].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive6_instance].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'module[positive6_instance].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive6_instance].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 19, + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive6_launch_config].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'module[positive6_launch_config].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive6_launch_config].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 11, + "filename": "positive7.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive7_instance].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'module[positive7_instance].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive7_instance].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 21, + "filename": "positive7.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive7_launch_config].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'module[positive7_launch_config].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive7_launch_config].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 9, + "filename": "positive8.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive8_instance].metadata_options", + "searchValue": "", + "expectedValue": "'module[positive8_instance].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive8_instance].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 18, + "filename": "positive8.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive8_launch_config].metadata_options", + "searchValue": "", + "expectedValue": "'module[positive8_launch_config].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive8_launch_config].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 5, + "filename": "positive9.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive9_instance]", + "searchValue": "", + "expectedValue": "'module[positive9_instance].metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'module[positive9_instance].metadata_options' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 13, + "filename": "positive9.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive9_launch_config]", + "searchValue": "", + "expectedValue": "'module[positive9_launch_config].metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'module[positive9_launch_config].metadata_options' is not defined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/terraform/aws/instance_with_no_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/instance_with_no_vpc/test/positive_expected_result.json index 83a88cc559d..c804a933422 100644 --- a/assets/queries/terraform/aws/instance_with_no_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/instance_with_no_vpc/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Instance With No VPC", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "positive1", + "searchKey": "aws_instance[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'vpc_security_group_ids' should be defined and not null", + "actualValue": "Attribute 'vpc_security_group_ids' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Instance With No VPC", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", + "searchValue": "", + "expectedValue": "Attribute 'vpc_security_group_ids' should be defined and not null", + "actualValue": "Attribute 'vpc_security_group_ids' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json index 96de2c7e663..f8cd0c8c805 100644 --- a/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_kinesis_stream", + "resourceName": "terraform-kinesis-test", + "searchKey": "aws_kinesis_stream[positive1]", + "searchValue": "", + "expectedValue": "aws_kinesis_stream[positive1].encryption_type should be set", + "actualValue": "aws_kinesis_stream[positive1].encryption_type is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 34 + "line": 34, + "filename": "positive.tf", + "resourceType": "aws_kinesis_stream", + "resourceName": "terraform-kinesis-test", + "searchKey": "aws_kinesis_stream[positive2].encryption_type", + "searchValue": "", + "expectedValue": "aws_kinesis_stream[positive2].encryption_type should be set and not NONE", + "actualValue": "aws_kinesis_stream[positive2].encryption_type is set but NONE", + "issueType": "IncorrectValue" }, { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 41 + "line": 41, + "filename": "positive.tf", + "resourceType": "aws_kinesis_stream", + "resourceName": "terraform-kinesis-test", + "searchKey": "aws_kinesis_stream[positive3]", + "searchValue": "", + "expectedValue": "aws_kinesis_stream[positive3].kms_key_id should be set", + "actualValue": "aws_kinesis_stream[positive3].kms_key_id is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/kinesis_sse_not_configured/test/positive_expected_result.json b/assets/queries/terraform/aws/kinesis_sse_not_configured/test/positive_expected_result.json index abc47c8bd1f..8197b9736aa 100644 --- a/assets/queries/terraform/aws/kinesis_sse_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/kinesis_sse_not_configured/test/positive_expected_result.json @@ -2,21 +2,53 @@ { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 12 + "line": 12, + "filename": "positive.tf", + "resourceType": "aws_kinesis_firehose_delivery_stream", + "resourceName": "${aws_s3_bucket.logs.bucket}-firehose", + "searchKey": "aws_kinesis_firehose_delivery_stream[positive2]", + "searchValue": "", + "expectedValue": "Attribute 'server_side_encryption' should be set", + "actualValue": "Attribute 'server_side_encryption' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 23 + "line": 23, + "filename": "positive.tf", + "resourceType": "aws_kinesis_firehose_delivery_stream", + "resourceName": "${aws_s3_bucket.logs.bucket}-firehose", + "searchKey": "aws_kinesis_firehose_delivery_stream[positive3].server_side_encryption.enabled", + "searchValue": "", + "expectedValue": "Attribute 'server_side_encryption' should be enabled", + "actualValue": "Attribute 'server_side_encryption' is not enabled", + "issueType": "IncorrectValue" }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 34 + "line": 34, + "filename": "positive.tf", + "resourceType": "aws_kinesis_firehose_delivery_stream", + "resourceName": "${aws_s3_bucket.logs.bucket}-firehose", + "searchKey": "aws_kinesis_firehose_delivery_stream[positive4].server_side_encryption.key_type", + "searchValue": "", + "expectedValue": "Attribute 'key_type' should be valid", + "actualValue": "Attribute 'key_type' is invalid", + "issueType": "IncorrectValue" }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 42 + "line": 42, + "filename": "positive.tf", + "resourceType": "aws_kinesis_firehose_delivery_stream", + "resourceName": "${aws_s3_bucket.logs.bucket}-firehose", + "searchKey": "aws_kinesis_firehose_delivery_stream[positive5].server_side_encryption", + "searchValue": "", + "expectedValue": "Attribute 'key_type' should be CUSTOMER_MANAGED_CMK and attribute 'key_arn' should be set", + "actualValue": "Attribute 'key_type' is CUSTOMER_MANAGED_CMK and attribute 'key_arn' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/kms_key_with_full_permissions/test/positive_expected_result.json b/assets/queries/terraform/aws/kms_key_with_full_permissions/test/positive_expected_result.json index ecd69b65494..96b8e50b759 100644 --- a/assets/queries/terraform/aws/kms_key_with_full_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/kms_key_with_full_permissions/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive1", + "searchKey": "aws_kms_key[positive1].policy", + "searchValue": "", + "expectedValue": "aws_kms_key[positive1].policy should not have wildcard in 'Action' and 'Principal'", + "actualValue": "aws_kms_key[positive1].policy has wildcard in 'Action' or 'Principal'", + "issueType": "IncorrectValue" }, { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", "line": 5, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive1", + "searchKey": "aws_kms_key[positive1].policy", + "searchValue": "", + "expectedValue": "aws_kms_key[positive1].policy should not have wildcard in 'Action' and 'Principal'", + "actualValue": "aws_kms_key[positive1].policy has wildcard in 'Action' or 'Principal'", + "issueType": "IncorrectValue" }, { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive3", + "searchKey": "aws_kms_key[positive3]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive3].policy should be defined and not null", + "actualValue": "aws_kms_key[positive3].policy is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/kms_key_with_no_deletion_window/test/positive_expected_result.json b/assets/queries/terraform/aws/kms_key_with_no_deletion_window/test/positive_expected_result.json index 086ae05195e..03500191e9c 100644 --- a/assets/queries/terraform/aws/kms_key_with_no_deletion_window/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/kms_key_with_no_deletion_window/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "KMS Key With No Deletion Window", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive1", + "searchKey": "aws_kms_key[positive1]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive1].deletion_window_in_days should be set and valid", + "actualValue": "aws_kms_key[positive1].deletion_window_in_days is undefined", + "issueType": "MissingAttribute" }, { "queryName": "KMS Key With No Deletion Window", "severity": "LOW", - "line": 18 + "line": 18, + "filename": "positive.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive2", + "searchKey": "aws_kms_key[positive2].deletion_window_in_days", + "searchValue": "", + "expectedValue": "aws_kms_key[positive2].deletion_window_in_days should be set and valid", + "actualValue": "aws_kms_key[positive2].deletion_window_in_days is set but invalid", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json index 526c7c5a52c..b4ef345fefe 100644 --- a/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "Lambda Function With Privileged Role", "severity": "HIGH", "line": 4, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "lambda", + "searchKey": "aws_lambda_function[positivefunction1].role", + "searchValue": "positiverole1/aws_iam_role_policy_attachment[positiverolepolicyattachment1]/positivecustomermanagedpolicy1/1", + "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy1'. Provided privileged permissions: 'iam:CreateLoginProfile'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'", + "issueType": "IncorrectValue" }, { "queryName": "Lambda Function With Privileged Role", "severity": "HIGH", "line": 4, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "lambda", + "searchKey": "aws_lambda_function[positivefunction1].role", + "searchValue": "positiverole1/aws_iam_role_policy_attachment[positiverolepolicyattachment1]/positivecustomermanagedpolicy1/0", + "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy1'. Provided privileged permissions: 'sts:AssumeRole'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'", + "issueType": "IncorrectValue" }, { "queryName": "Lambda Function With Privileged Role", "severity": "HIGH", "line": 4, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "lambda", + "searchKey": "aws_lambda_function[positivefunction1].role", + "searchValue": "positiverole1/aws_iam_policy_attachment[positivedirectpolicyattachment1]/positivecustomermanagedpolicy2/0", + "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy2'. Provided privileged permissions: 'sts:AssumeRole'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'", + "issueType": "IncorrectValue" }, { "queryName": "Lambda Function With Privileged Role", "severity": "HIGH", "line": 4, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "lambda", + "searchKey": "aws_lambda_function[positivefunction1].role", + "searchValue": "positiverole1/positiveinlinepolicy1/0", + "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached inline policy.", + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached inline policy. Provided privileged permissions: 'iam:*'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'", + "issueType": "IncorrectValue" }, { "queryName": "Lambda Function With Privileged Role", "severity": "HIGH", "line": 23, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "lambda", + "searchKey": "aws_lambda_function[positivefunction2].role", + "searchValue": "positiverole2/aws_iam_policy_attachment[positivedirectpolicyattachment2]", + "expectedValue": "aws_lambda_function[positivefunction2].role shouldn't have privileged permissions", + "actualValue": "aws_lambda_function[positivefunction2].role has been provided privileged permissions through attached pre-existing managed policy 'arn:aws:iam::policy/AmazonPersonalizeFullAccess'.", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json index 11ef1ad0bc3..5410419b6b4 100644 --- a/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", "line": 16, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_lambda_function", + "resourceName": "lambda_without_dlq", + "searchKey": "aws_lambda_function[lambda_without_dlq]", + "searchValue": "", + "expectedValue": "'aws_lambda_function[lambda_without_dlq].dead_letter_config' should be defined and not null", + "actualValue": "'aws_lambda_function[lambda_without_dlq].dead_letter_config' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", "line": 24, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_lambda_function", + "resourceName": "lambda_with_incomplete_dlq", + "searchKey": "aws_lambda_function[lambda_with_incomplete_dlq].dead_letter_config.target_arn", + "searchValue": "", + "expectedValue": "'aws_lambda_function[lambda_with_incomplete_dlq].dead_letter_config.target_arn' should be defined and not empty", + "actualValue": "'aws_lambda_function[lambda_with_incomplete_dlq].dead_letter_config.target_arn' is empty", + "issueType": "MissingAttribute" }, { "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", "line": 16, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[lambda_with_incomplete_dlq]", + "searchValue": "", + "expectedValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' should be defined and not null", + "actualValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", "line": 26, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[lambda_with_incomplete_dlq].dead_letter_target_arn", + "searchValue": "", + "expectedValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' should be defined and not empty", + "actualValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' is empty", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json index 806f660a9a0..bfeb45022b5 100644 --- a/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ { - "line": 28, "queryName": "Lambda Functions Without X-Ray Tracing", - "severity": "LOW" + "severity": "LOW", + "line": 28, + "filename": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "test_lambda2", + "searchKey": "aws_lambda_function[test_lambda2].tracing_config.mode", + "searchValue": "", + "expectedValue": "aws_lambda_function[test_lambda2].tracing_config.mode should be set to 'Active'", + "actualValue": "aws_lambda_function[test_lambda2].tracing_config.mode is set to 'PassThrough'", + "issueType": "IncorrectValue" }, { "queryName": "Lambda Functions Without X-Ray Tracing", "severity": "LOW", - "line": 45 + "line": 45, + "filename": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "test_lambda3", + "searchKey": "aws_lambda_function[test_lambda3]", + "searchValue": "", + "expectedValue": "aws_lambda_function[test_lambda3].tracing_config should be defined and not null", + "actualValue": "aws_lambda_function[test_lambda3].tracing_config is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/positive_expected_result.json index 7951f5675f9..e71a2c79515 100644 --- a/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/positive_expected_result.json @@ -1,38 +1,80 @@ [ - { - "queryName": "Lambda IAM InvokeFunction Misconfigured", - "severity": "LOW", - "line": 8, - "filename": "positive1.tf" - }, - { - "queryName": "Lambda IAM InvokeFunction Misconfigured", - "severity": "LOW", - "line": 8, - "filename": "positive2.tf" - }, - { - "queryName": "Lambda IAM InvokeFunction Misconfigured", - "severity": "LOW", - "line": 8, - "filename": "positive3.tf" - }, - { - "queryName": "Lambda IAM InvokeFunction Misconfigured", - "severity": "LOW", - "line": 5, - "filename": "positive4.tf" - }, - { - "queryName": "Lambda IAM InvokeFunction Misconfigured", - "severity": "LOW", - "line": 8, - "filename": "positive5.tf" - }, - { - "queryName": "Lambda IAM InvokeFunction Misconfigured", - "severity": "LOW", - "line": 8, - "filename": "positive6.tf" - } + { + "queryName": "Lambda IAM InvokeFunction Misconfigured", + "severity": "LOW", + "line": 8, + "filename": "positive1.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive1policy", + "searchKey": "aws_iam_policy[positive1policy].policy", + "searchValue": "", + "expectedValue": "[positive1policy].policy should be misconfigured", + "actualValue": "[positive1policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", + "issueType": "IncorrectValue" + }, + { + "queryName": "Lambda IAM InvokeFunction Misconfigured", + "severity": "LOW", + "line": 8, + "filename": "positive2.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive2policy", + "searchKey": "aws_iam_policy[positive2policy].policy", + "searchValue": "", + "expectedValue": "[positive2policy].policy should be misconfigured", + "actualValue": "[positive2policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", + "issueType": "IncorrectValue" + }, + { + "queryName": "Lambda IAM InvokeFunction Misconfigured", + "severity": "LOW", + "line": 8, + "filename": "positive3.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive3policy", + "searchKey": "aws_iam_policy[positive3policy].policy", + "searchValue": "", + "expectedValue": "[positive3policy].policy should be misconfigured", + "actualValue": "[positive3policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", + "issueType": "IncorrectValue" + }, + { + "queryName": "Lambda IAM InvokeFunction Misconfigured", + "severity": "LOW", + "line": 5, + "filename": "positive4.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive4policy", + "searchKey": "aws_iam_policy[positive4policy].policy", + "searchValue": "", + "expectedValue": "[positive4policy].policy should be misconfigured", + "actualValue": "[positive4policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", + "issueType": "IncorrectValue" + }, + { + "queryName": "Lambda IAM InvokeFunction Misconfigured", + "severity": "LOW", + "line": 8, + "filename": "positive5.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive5policy", + "searchKey": "aws_iam_policy[positive5policy].policy", + "searchValue": "", + "expectedValue": "[positive5policy].policy should be misconfigured", + "actualValue": "[positive5policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", + "issueType": "IncorrectValue" + }, + { + "queryName": "Lambda IAM InvokeFunction Misconfigured", + "severity": "LOW", + "line": 8, + "filename": "positive6.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive6policy", + "searchKey": "aws_iam_policy[positive6policy].policy", + "searchValue": "", + "expectedValue": "[positive6policy].policy should be misconfigured", + "actualValue": "[positive6policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/aws/lambda_permission_misconfigured/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_permission_misconfigured/test/positive_expected_result.json index 4d4185aebc6..499f9e699ea 100644 --- a/assets/queries/terraform/aws/lambda_permission_misconfigured/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_permission_misconfigured/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Lambda Permission Misconfigured", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.tf", + "resourceType": "aws_lambda_permission", + "resourceName": "positive1", + "searchKey": "aws_lambda_permission[positive1].action", + "searchValue": "", + "expectedValue": "aws_lambda_permission[name].action should be 'lambda:InvokeFunction'%!(EXTRA string=positive1)", + "actualValue": "aws_lambda_permission[name].action is positive1%!(EXTRA string=lambda:DeleteFunction)", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json index bfc56e78a38..03be7124099 100644 --- a/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ { - "line": 5, "queryName": "Lambda Permission Principal Is Wildcard", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_lambda_permission", + "resourceName": "positive1", + "searchKey": "aws_lambda_permission[positive1].principal", + "searchValue": "", + "expectedValue": "aws_lambda_permission[positive1].principal shouldn't contain a wildcard", + "actualValue": "aws_lambda_permission[positive1].principal contains a wildcard", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/lambda_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_with_vulnerable_policy/test/positive_expected_result.json index 971cd176054..1add9b096aa 100644 --- a/assets/queries/terraform/aws/lambda_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_with_vulnerable_policy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Lambda With Vulnerable Policy", "severity": "HIGH", "line": 35, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_lambda_permission", + "resourceName": "all", + "searchKey": "aws_lambda_permission[all].action", + "searchValue": "", + "expectedValue": "aws_lambda_permission[all].action should not have wildcard", + "actualValue": "aws_lambda_permission[all].action has wildcard", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json b/assets/queries/terraform/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json index 94deefb61b9..0aee23580d3 100644 --- a/assets/queries/terraform/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Misconfigured Password Policy Expiration", "severity": "LOW", - "line": 12 + "line": 8, + "filename": "positive.tf", + "resourceType": "aws_iam_account_password_policy", + "resourceName": "positive1", + "searchKey": "aws_iam_account_password_policy[positive1].max_password_age", + "searchValue": "", + "expectedValue": "'max_password_age' should be lower than 90", + "actualValue": "'max_password_age' is higher than 90", + "issueType": "IncorrectValue" }, { "queryName": "Misconfigured Password Policy Expiration", "severity": "LOW", - "line": 8 + "line": 12, + "filename": "positive.tf", + "resourceType": "aws_iam_account_password_policy", + "resourceName": "positive2", + "searchKey": "aws_iam_account_password_policy[positive2]", + "searchValue": "", + "expectedValue": "'max_password_age' should exist", + "actualValue": "'max_password_age' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/missing_cluster_log_types/test/positive_expected_result.json b/assets/queries/terraform/aws/missing_cluster_log_types/test/positive_expected_result.json index 137f7b0ae88..193b3e65f83 100755 --- a/assets/queries/terraform/aws/missing_cluster_log_types/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/missing_cluster_log_types/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Missing Cluster Log Types", "severity": "MEDIUM", - "line": 9 + "line": 9, + "filename": "positive.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "example", + "searchKey": "aws_eks_cluster[positive1].enabled_cluster_log_types", + "searchValue": "", + "expectedValue": "'enabled_cluster_log_types' has all log types", + "actualValue": "'enabled_cluster_log_types' has missing log types", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json index 144dcfe9c92..cab23350503 100644 --- a/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "MQ Broker Is Publicly Accessible", "severity": "HIGH", - "line": 19 + "line": 19, + "filename": "positive.tf", + "resourceType": "aws_mq_broker", + "resourceName": "example", + "searchKey": "aws_mq_broker[positive1].publicly_accessible", + "searchValue": "", + "expectedValue": "'publicly_accessible' should be undefined or set to false", + "actualValue": "'publicly_accessible' is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/mq_broker_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/mq_broker_logging_disabled/test/positive_expected_result.json index 3aa5e012477..9dcd2dc8799 100644 --- a/assets/queries/terraform/aws/mq_broker_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/mq_broker_logging_disabled/test/positive_expected_result.json @@ -1,17 +1,41 @@ [ - { - "queryName": "MQ Broker Logging Disabled", - "severity": "MEDIUM", - "line": 1 - }, - { - "queryName": "MQ Broker Logging Disabled", - "severity": "MEDIUM", - "line": 8 - }, - { - "queryName": "MQ Broker Logging Disabled", - "severity": "MEDIUM", - "line": 17 - } + { + "queryName": "MQ Broker Logging Disabled", + "severity": "MEDIUM", + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_mq_broker", + "resourceName": "no-logging", + "searchKey": "aws_mq_broker[positive1]", + "searchValue": "", + "expectedValue": "'logs' should be set and enabling general AND audit logging", + "actualValue": "'logs' is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "MQ Broker Logging Disabled", + "severity": "MEDIUM", + "line": 8, + "filename": "positive.tf", + "resourceType": "aws_mq_broker", + "resourceName": "partial-logging", + "searchKey": "aws_mq_broker[positive2].logs", + "searchValue": "", + "expectedValue": "'general' and 'audit' logging should be set to true", + "actualValue": "'general' and/or 'audit' is undefined", + "issueType": "MissingAttribute" + }, + { + "queryName": "MQ Broker Logging Disabled", + "severity": "MEDIUM", + "line": 17, + "filename": "positive.tf", + "resourceType": "aws_mq_broker", + "resourceName": "disabled-logging", + "searchKey": "aws_mq_broker[positive3].logs.general", + "searchValue": "", + "expectedValue": "'general' and 'audit' logging should be set to true", + "actualValue": "'general' is set to false", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json index ff0007ac59d..1d9dc8cc348 100644 --- a/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "MSK Broker Is Publicly Accessible", "severity": "HIGH", "line": 9, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "example", + "searchKey": "aws_msk_cluster[positive1].broker_node_group_info.connectivity_info.public_access.type", + "searchValue": "", + "expectedValue": "aws_msk_cluster[positive1].broker_node_group_info.connectivity_info.public_access.type should be set to 'DISABLED' or undefined", + "actualValue": "aws_msk_cluster[positive1].broker_node_group_info.connectivity_info.public_access.type is set to 'SERVICE_PROVIDED_EIPS'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json index 87cb85d9130..5a6a4cc4398 100644 --- a/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json @@ -2,21 +2,53 @@ { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "example", + "searchKey": "msk_cluster[positive1]", + "searchValue": "", + "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", + "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'", + "issueType": "MissingAttribute" }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 14 + "line": 14, + "filename": "positive.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "example", + "searchKey": "msk_cluster[positive2].encryption_info.encryption_in_transit.client_broker", + "searchValue": "", + "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", + "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 26 + "line": 26, + "filename": "positive.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "example", + "searchKey": "msk_cluster[positive3].encryption_info.encryption_in_transit.in_cluster", + "searchValue": "", + "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", + "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 37 + "line": 37, + "filename": "positive.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "example", + "searchKey": "msk_cluster[positive4].encryption_info.encryption_in_transit.in_cluster and msk_cluster[positive4].encryption_infoencryption_in_transit.client_broker", + "searchValue": "", + "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", + "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json index 77aee52c4db..ba98ac1fda7 100644 --- a/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "positive1", + "searchKey": "aws_msk_cluster[positive1].logging_info.broker_logs.cloudwatch_logs.enabled", + "searchValue": "", + "expectedValue": "'rule.logging_info.broker_logs.enabled' should be 'true' in every entry", + "actualValue": "msk_cluster[positive1].logging_info.broker_logs.cloudwatch_logs.enabled is false", + "issueType": "IncorrectValue" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "positive1", + "searchKey": "aws_msk_cluster[positive1].logging_info.broker_logs.firehose", + "searchValue": "", + "expectedValue": "'rule.logging_info.broker_logs.enabled' should be 'true' in every entry", + "actualValue": "msk_cluster[positive1].logging_info.broker_logs.firehose.enabled is missing", + "issueType": "MissingAttribute" }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "positive2", + "searchKey": "aws_msk_cluster[positive2]", + "searchValue": "", + "expectedValue": "'rule.logging_info' should exist", + "actualValue": "'rule.logging_info' does not exist", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/test/positive_expected_result.json index 5ff36a69dda..2100e30b045 100644 --- a/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Neptune Cluster Instance is Publicly Accessible", "severity": "HIGH", "line": 7, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_neptune_cluster_instance", + "resourceName": "example", + "searchKey": "aws_neptune_cluster_instance[example].publicly_accessible", + "searchValue": "", + "expectedValue": "aws_neptune_cluster_instance[example].publicly_accessible should be set to false", + "actualValue": "aws_neptune_cluster_instance[example].publicly_accessible is set to true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json index b659dde30dd..baaed3ac89a 100644 --- a/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "positive1", + "searchKey": "aws_neptune_cluster[positive1]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", - "line": 17 + "line": 17, + "filename": "positive.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "positive2", + "searchKey": "aws_neptune_cluster[positive2].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json index 9847f928c55..a57d188a5ab 100644 --- a/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "positive1", + "searchKey": "aws_neptune_cluster[positive1]", + "searchValue": "", + "expectedValue": "'storage_encrypted' should be set with value true", + "actualValue": "'storage_encrypted' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", - "line": 19 + "line": 19, + "filename": "positive.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "positive2", + "searchKey": "aws_neptune_cluster[positive2].storage_encrypted", + "searchValue": "", + "expectedValue": "'storage_encrypted' should be true", + "actualValue": "'storage_encrypted' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/neptune_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/neptune_logging_disabled/test/positive_expected_result.json index 0b3cecc98a8..0ebe9387ad9 100644 --- a/assets/queries/terraform/aws/neptune_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/neptune_logging_disabled/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "postive1", + "searchKey": "aws_neptune_cluster[{{postive1}}]", + "searchValue": "", + "expectedValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports should be defined", + "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 9, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "postive2", + "searchKey": "aws_neptune_cluster[{{postive2}}].enable_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports should have all following values: audit", + "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports is empty", + "issueType": "IncorrectValue" }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 9, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "postive3", + "searchKey": "aws_neptune_cluster[{{postive3}}].enable_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports should have all following values: audit", + "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports has the following missing values: audit", + "issueType": "IncorrectValue" }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 9, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "postive3", + "searchKey": "aws_neptune_cluster[{{postive3}}].enable_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports should have all following values: audit", + "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports has the following missing values: audit", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/test/positive_expected_result.json b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/test/positive_expected_result.json index 37fe8ca81bf..b393a658ecc 100644 --- a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Network ACL With Unrestricted Access To RDP", "severity": "HIGH", "line": 30, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_network_acl", + "resourceName": "main", + "searchKey": "aws_network_acl[positive1].ingress", + "searchValue": "", + "expectedValue": "aws_network_acl[positive1].ingress[0] 'RDP' (TCP:3389) should not be public", + "actualValue": "aws_network_acl[positive1].ingress[0] 'RDP' (TCP:3389) is public", + "issueType": "IncorrectValue" }, { "queryName": "Network ACL With Unrestricted Access To RDP", "severity": "HIGH", "line": 22, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_network_acl_rule", + "resourceName": "postive2", + "searchKey": "aws_network_acl_rule[postive2]", + "searchValue": "", + "expectedValue": "aws_network_acl[postive2] 'RDP' (TCP:3389) should not be public", + "actualValue": "aws_network_acl[postive2] 'RDP' (TCP:3389) is public", + "issueType": "IncorrectValue" }, { "queryName": "Network ACL With Unrestricted Access To RDP", "severity": "HIGH", "line": 26, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_network_acl", + "resourceName": "main", + "searchKey": "aws_network_acl[positive3].ingress", + "searchValue": "", + "expectedValue": "aws_network_acl[positive3].ingress 'RDP' (TCP:3389) should not be public", + "actualValue": "aws_network_acl[positive3].ingress 'RDP' (TCP:3389) is public", + "issueType": "IncorrectValue" }, { "queryName": "Network ACL With Unrestricted Access To RDP", "severity": "HIGH", "line": 14, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vpc].default_network_acl_ingress", + "searchValue": "", + "expectedValue": "module[vpc].default_network_acl_ingress[0] 'RDP' (TCP:3389) should not be public", + "actualValue": "module[vpc].default_network_acl_ingress[0] 'RDP' (TCP:3389) is public", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive_expected_result.json index ffe49a69896..9f8431a1b0d 100644 --- a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Network ACL With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 30, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_network_acl", + "resourceName": "main", + "searchKey": "aws_network_acl[positive1].ingress", + "searchValue": "", + "expectedValue": "aws_network_acl[positive1].ingress[0] 'SSH' (Port:22) should not be public", + "actualValue": "aws_network_acl[positive1].ingress[0] 'SSH' (Port:22) is public", + "issueType": "IncorrectValue" }, { "queryName": "Network ACL With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 22, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aaws_network_acl_rule", + "resourceName": "postive2", + "searchKey": "aws_network_acl_rule[postive2]", + "searchValue": "", + "expectedValue": "aws_network_acl[postive2] 'SSH' (TCP:22) should not be public", + "actualValue": "aws_network_acl[postive2] 'SSH' (TCP:22) is public", + "issueType": "IncorrectValue" }, { "queryName": "Network ACL With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 26, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_network_acl", + "resourceName": "main", + "searchKey": "aws_network_acl[positive3].ingress", + "searchValue": "", + "expectedValue": "aws_network_acl[positive3].ingress 'SSH' (TCP:22) should not be public", + "actualValue": "aws_network_acl[positive3].ingress 'SSH' (TCP:22) is public", + "issueType": "IncorrectValue" }, { "queryName": "Network ACL With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 14, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vpc].default_network_acl_ingress", + "searchValue": "", + "expectedValue": "aws_network_acl[vpc].ingress[0] 'SSH' (Port:22) should not be public", + "actualValue": "aws_network_acl[vpc].ingress[0] 'SSH' (Port:22) is public", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/no_password_policy_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/no_password_policy_enabled/test/positive_expected_result.json index 1c1519b011a..347a7c459b9 100644 --- a/assets/queries/terraform/aws/no_password_policy_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/no_password_policy_enabled/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "No Password Policy Enabled", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_iam_user_login_profile", + "resourceName": "positive2", + "searchKey": "aws_iam_user_login_profile[positive2].password_reset_required", + "searchValue": "", + "expectedValue": "Attribute 'password_reset_required' should be true", + "actualValue": "Attribute 'password_reset_required' is false", + "issueType": "IncorrectValue" }, { "queryName": "No Password Policy Enabled", "severity": "MEDIUM", - "line": 16 + "line": 16, + "filename": "positive.tf", + "resourceType": "aws_iam_user_login_profile", + "resourceName": "positive3", + "searchKey": "aws_iam_user_login_profile[positive3].password_length", + "searchValue": "", + "expectedValue": "Attribute 'password_length' should be 14 or greater", + "actualValue": "Attribute 'password_length' is smaller than 14", + "issueType": "IncorrectValue" }, { "queryName": "No Password Policy Enabled", "severity": "MEDIUM", - "line": 23 + "line": 23, + "filename": "positive.tf", + "resourceType": "aws_iam_user_login_profile", + "resourceName": "positive6", + "searchKey": "aws_iam_user_login_profile[positive6].password_length", + "searchValue": "", + "expectedValue": "Attribute 'password_length' should be 14 or greater", + "actualValue": "Attribute 'password_length' is smaller than 14", + "issueType": "IncorrectValue" }, { "queryName": "No Password Policy Enabled", "severity": "MEDIUM", - "line": 30 + "line": 30, + "filename": "positive.tf", + "resourceType": "aws_iam_user_login_profile", + "resourceName": "positive7", + "searchKey": "aws_iam_user_login_profile[positive7].password_reset_required", + "searchValue": "", + "expectedValue": "Attribute 'password_reset_required' should be true", + "actualValue": "Attribute 'password_reset_required' is false", + "issueType": "IncorrectValue" }, { "queryName": "No Password Policy Enabled", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "aws_iam_user_login_profile", + "resourceName": "positive7", + "searchKey": "aws_iam_user_login_profile[positive7].password_length", + "searchValue": "", + "expectedValue": "Attribute 'password_length' should be 14 or greater", + "actualValue": "Attribute 'password_length' is smaller than 14", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/no_stack_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/no_stack_policy/test/positive_expected_result.json index cc22479597c..8b1d93f1cce 100644 --- a/assets/queries/terraform/aws/no_stack_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/no_stack_policy/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "No Stack Policy", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_cloudformation_stack", + "resourceName": "networking-stack", + "searchKey": "aws_cloudformation_stack[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'policy_body' or Attribute 'policy_url' should be set", + "actualValue": "Both Attribute 'policy_body' and Attribute 'policy_url' are undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/password_without_reuse_prevention/test/positive_expected_result.json b/assets/queries/terraform/aws/password_without_reuse_prevention/test/positive_expected_result.json index 14744faebfc..9a10bd76ce5 100644 --- a/assets/queries/terraform/aws/password_without_reuse_prevention/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/password_without_reuse_prevention/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Password Without Reuse Prevention", "severity": "LOW", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "aws_iam_account_password_policy", + "resourceName": "positive1", + "searchKey": "aws_iam_account_password_policy[positive1].password_reuse_prevention", + "searchValue": "", + "expectedValue": "'password_reuse_prevention' should be 24", + "actualValue": "'password_reuse_prevention' is lower than 24", + "issueType": "IncorrectValue" }, { "queryName": "Password Without Reuse Prevention", "severity": "LOW", - "line": 10 + "line": 10, + "filename": "positive.tf", + "resourceType": "aws_iam_account_password_policy", + "resourceName": "positive2", + "searchKey": "aws_iam_account_password_policy[positive2]", + "searchValue": "", + "expectedValue": "'password_reuse_prevention' should be set with value 24", + "actualValue": "'password_reuse_prevention' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/policy_without_principal/test/positive_expected_result.json b/assets/queries/terraform/aws/policy_without_principal/test/positive_expected_result.json index 47916ac2a8f..c3258440288 100644 --- a/assets/queries/terraform/aws/policy_without_principal/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/policy_without_principal/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Policy Without Principal", "severity": "MEDIUM", "line": 9, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_kms_key", + "resourceName": "secure_policy", + "searchKey": "aws_kms_key[secure_policy].policy", + "searchValue": "", + "expectedValue": "'Principal' should be defined", + "actualValue": "'Principal' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/postgres_rds_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/postgres_rds_logging_disabled/test/positive_expected_result.json index 945f584ea83..bd26a8dc33a 100644 --- a/assets/queries/terraform/aws/postgres_rds_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/postgres_rds_logging_disabled/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Postgres RDS logging disabled", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_db_parameter_group", + "resourceName": "postgres-logging", + "searchKey": "aws_db_parameter_group.postgres_logging", + "searchValue": "", + "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be set to 'all' and '1'", + "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are not set or both have the wrong value", + "issueType": "IncorrectValue" }, { "queryName": "Postgres RDS logging disabled", "severity": "LOW", "line": 6, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_db_parameter_group", + "resourceName": "postgres-logging", + "searchKey": "aws_db_parameter_group.postgres_logging", + "searchValue": "", + "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be set to 'all' and '1'", + "actualValue": "aws_db_parameter_group's log_statement has the wrong value", + "issueType": "IncorrectValue" }, { "queryName": "Postgres RDS logging disabled", "severity": "LOW", "line": 10, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_db_parameter_group", + "resourceName": "postgres-logging", + "searchKey": "aws_db_parameter_group.postgres_logging", + "searchValue": "", + "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be set to 'all' and '1'", + "actualValue": "aws_db_parameter_group's log_min_duration_statement has the wrong value", + "issueType": "IncorrectValue" }, { "queryName": "Postgres RDS logging disabled", "severity": "LOW", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_db_parameter_group", + "resourceName": "postgres-logging", + "searchKey": "aws_db_parameter_group.postgres_logging", + "searchValue": "", + "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be defined", + "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are undefined", + "issueType": "MissingAttribute" }, { "queryName": "Postgres RDS logging disabled", "severity": "LOW", "line": 1, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_db_parameter_group", + "resourceName": "postgres-logging", + "searchKey": "aws_db_parameter_group.example", + "searchValue": "", + "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be defined", + "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are undefined", + "issueType": "MissingAttribute" }, { "queryName": "Postgres RDS logging disabled", "severity": "LOW", "line": 1, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "aws_db_parameter_group", + "resourceName": "postgres-logging", + "searchKey": "aws_db_parameter_group.example", + "searchValue": "", + "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be defined", + "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/public_and_private_ec2_share_role/test/positive_expected_result.json b/assets/queries/terraform/aws/public_and_private_ec2_share_role/test/positive_expected_result.json index b398ade46bc..a6999e6920b 100644 --- a/assets/queries/terraform/aws/public_and_private_ec2_share_role/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/public_and_private_ec2_share_role/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Public and Private EC2 Share Role", "severity": "MEDIUM", "line": 103, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "pub_ins", + "searchKey": "aws_instance[pub_ins].iam_instance_profile", + "searchValue": "", + "expectedValue": "Public and private instances should not share the same role", + "actualValue": "Public and private instances share the same role", + "issueType": "IncorrectValue" }, { "queryName": "Public and Private EC2 Share Role", "severity": "MEDIUM", "line": 38, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_public_instance].iam_instance_profile", + "searchValue": "", + "expectedValue": "Public and private instances should not share the same role", + "actualValue": "Public and private instances share the same role", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/public_lambda_via_api_gateway/test/positive_expected_result.json b/assets/queries/terraform/aws/public_lambda_via_api_gateway/test/positive_expected_result.json index 8452e076a79..868f22c0e3b 100755 --- a/assets/queries/terraform/aws/public_lambda_via_api_gateway/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/public_lambda_via_api_gateway/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Public Lambda via API Gateway", "severity": "MEDIUM", - "line": 9 + "line": 9, + "filename": "positive.tf", + "resourceType": "aws_lambda_permission", + "resourceName": "example", + "searchKey": "aws_lambda_permission[apigw].source_arn", + "searchValue": "", + "expectedValue": "'source_arn' should not equal '/*/*'", + "actualValue": "'source_arn' is equal '/*/*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/rds_associated_with_public_subnet/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_associated_with_public_subnet/test/positive_expected_result.json index 3acfce4737d..b555fb423ee 100644 --- a/assets/queries/terraform/aws/rds_associated_with_public_subnet/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_associated_with_public_subnet/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "RDS Associated with Public Subnet", "severity": "CRITICAL", "line": 11, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].db_subnet_group_name", + "searchValue": "", + "expectedValue": "RDS should not be running in a public subnet", + "actualValue": "RDS is running in a public subnet", + "issueType": "IncorrectValue" }, { "queryName": "RDS Associated with Public Subnet", "severity": "CRITICAL", "line": 11, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive2].db_subnet_group_name", + "searchValue": "", + "expectedValue": "RDS should not be running in a public subnet", + "actualValue": "RDS is running in a public subnet", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/test/positive_expected_result.json index ea9389945c2..623d36527c8 100644 --- a/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "RDS Cluster With Backup Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "postgresql", + "searchKey": "aws_rds_cluster[{{postgresql}}]", + "searchValue": "", + "expectedValue": "aws_rds_cluster.backup_retention_period should be defined and not null", + "actualValue": "aws_rds_cluster.backup_retention_period is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/test/positive_expected_result.json index 187a78096da..4835dfbd999 100644 --- a/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "RDS Database Cluster not Encrypted", "severity": "HIGH", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_db_cluster_snapshot", + "resourceName": "positive1", + "searchKey": "aws_db_cluster_snapshot[positive1]", + "searchValue": "", + "expectedValue": "aws_db_cluster_snapshot.db_cluster_identifier' should be encrypted", + "actualValue": "aws_db_cluster_snapshot.db_cluster_identifier' is not encrypted", + "issueType": "IncorrectValue" }, { "queryName": "RDS Database Cluster not Encrypted", "severity": "HIGH", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_db_cluster_snapshot", + "resourceName": "positive2", + "searchKey": "aws_db_cluster_snapshot[positive2]", + "searchValue": "", + "expectedValue": "aws_db_cluster_snapshot.db_cluster_identifier' should be encrypted", + "actualValue": "aws_db_cluster_snapshot.db_cluster_identifier' is not encrypted", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index a79d457a603..d1b8463fdac 100644 --- a/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 10, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].publicly_accessible", + "searchValue": "", + "expectedValue": "'publicly_accessible' should be set to false or undefined", + "actualValue": "'publicly_accessible' is set to true", + "issueType": "IncorrectValue" }, { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 11, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].publicly_accessible", + "searchValue": "", + "expectedValue": "'publicly_accessible' should be set to false or undefined", + "actualValue": "'publicly_accessible' is set to true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/rds_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_storage_not_encrypted/test/positive_expected_result.json index 2869dacdeb1..c8e95930463 100644 --- a/assets/queries/terraform/aws/rds_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_storage_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive1", + "searchKey": "aws_rds_cluster[positive1]", + "searchValue": "", + "expectedValue": "aws_rds_cluster.storage_encrypted should be set to true", + "actualValue": "aws_rds_cluster.storage_encrypted is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", "line": 10, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive3", + "searchKey": "aws_rds_cluster[positive3].storage_encrypted", + "searchValue": "", + "expectedValue": "aws_rds_cluster.storage_encrypted should be set to true", + "actualValue": "aws_rds_cluster.storage_encrypted is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/rds_using_default_port/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_using_default_port/test/positive_expected_result.json index b82590880cb..24b763e3ad6 100644 --- a/assets/queries/terraform/aws/rds_using_default_port/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_using_default_port/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "RDS Using Default Port", "severity": "LOW", "line": 11, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].port", + "searchValue": "", + "expectedValue": "aws_db_instance[positive1].port should not be set to 3306", + "actualValue": "aws_db_instance[positive1].port is set to 3306", + "issueType": "IncorrectValue" }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive2].port", + "searchValue": "", + "expectedValue": "aws_db_instance[positive2].port should not be set to 5432", + "actualValue": "aws_db_instance[positive2].port is set to 5432", + "issueType": "IncorrectValue" }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive3].port", + "searchValue": "", + "expectedValue": "aws_db_instance[positive3].port should not be set to 1521", + "actualValue": "aws_db_instance[positive3].port is set to 1521", + "issueType": "IncorrectValue" }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive4].port", + "searchValue": "", + "expectedValue": "aws_db_instance[positive4].port should not be set to 1433", + "actualValue": "aws_db_instance[positive4].port is set to 1433", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json index 0d3fdfe8f93..24a0b21819a 100644 --- a/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", "line": 12, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].backup_retention_period", + "searchValue": "", + "expectedValue": "'backup_retention_period' should not equal '0'", + "actualValue": "'backup_retention_period' is equal '0'", + "issueType": "IncorrectValue" }, { "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].backup_retention_period", + "searchValue": "", + "expectedValue": "'backup_retention_period' should not equal '0'", + "actualValue": "'backup_retention_period' is equal '0'", + "issueType": "IncorrectValue" }, { "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1]", + "searchValue": "", + "expectedValue": "'backup_retention_period' should be defined, and bigger than '0'", + "actualValue": "'backup_retention_period' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db]", + "searchValue": "", + "expectedValue": "'backup_retention_period' should be defined, and bigger than '0'", + "actualValue": "'backup_retention_period' is not defined", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/rds_without_logging/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_without_logging/test/positive_expected_result.json index 9454580d871..a5101e12b89 100644 --- a/assets/queries/terraform/aws/rds_without_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_without_logging/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "RDS Without Logging", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "positive1", + "searchKey": "aws_db_instance[positive1]", + "searchValue": "", + "expectedValue": "'enabled_cloudwatch_logs_exports' should be defined", + "actualValue": "'enabled_cloudwatch_logs_exports' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Without Logging", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_db_instance", + "resourceName": "positive2", + "searchKey": "aws_db_instance[positive2].enabled_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "'enabled_cloudwatch_logs_exports' has one or more values", + "actualValue": "'enabled_cloudwatch_logs_exports' is empty", + "issueType": "IncorrectValue" }, { "queryName": "RDS Without Logging", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db]", + "searchValue": "", + "expectedValue": "'enabled_cloudwatch_logs_exports' should be defined", + "actualValue": "'enabled_cloudwatch_logs_exports' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "RDS Without Logging", "severity": "MEDIUM", "line": 11, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].enabled_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "'enabled_cloudwatch_logs_exports' has one or more values", + "actualValue": "'enabled_cloudwatch_logs_exports' is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/redis_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/redis_disabled/test/positive_expected_result.json index 39222e69fa7..9f268ac8d3a 100644 --- a/assets/queries/terraform/aws/redis_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redis_disabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Redis Disabled", "severity": "LOW", "line": 4, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster-example", + "searchKey": "resource.aws_elasticache_cluster[positive1].engine", + "searchValue": "", + "expectedValue": "resource.aws_elasticache_cluster[positive1].engine should have Redis enabled", + "actualValue": "resource.aws_elasticache_cluster[positive1].engine doesn't enable Redis", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/redis_not_compliant/test/positive_expected_result.json b/assets/queries/terraform/aws/redis_not_compliant/test/positive_expected_result.json index 2563388f8fa..ce218010e5e 100644 --- a/assets/queries/terraform/aws/redis_not_compliant/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redis_not_compliant/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Redis Not Compliant", "severity": "HIGH", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster-example", + "searchKey": "aws_elasticache_cluster[positive1].engine_version", + "searchValue": "", + "expectedValue": "aws_elasticache_cluster[positive1].engine_version should be compliant with the requirements", + "actualValue": "aws_elasticache_cluster[positive1].engine_version isn't compliant with the requirements", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json index 40533ee61d3..0402077cf2d 100644 --- a/assets/queries/terraform/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Redshift Cluster Logging Disabled", "severity": "MEDIUM", - "line": 9 + "line": 9, + "filename": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive1", + "searchKey": "aws_redshift_cluster[positive1].logging.enable", + "searchValue": "", + "expectedValue": "'aws_redshift_cluster.logging' should be true", + "actualValue": "'aws_redshift_cluster.logging' is false", + "issueType": "IncorrectValue" }, { "queryName": "Redshift Cluster Logging Disabled", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive2", + "searchKey": "aws_redshift_cluster[positive2]", + "searchValue": "", + "expectedValue": "'aws_redshift_cluster.logging' should be true", + "actualValue": "'aws_redshift_cluster.logging' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json index 25d75271b2d..867af4da97a 100644 --- a/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive1", + "searchKey": "aws_redshift_cluster[positive1]", + "searchValue": "cluster_subnet_group_name", + "expectedValue": "aws_redshift_cluster[positive1].cluster_subnet_group_name should be set", + "actualValue": "aws_redshift_cluster[positive1].cluster_subnet_group_name is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive1", + "searchKey": "aws_redshift_cluster[positive1]", + "searchValue": "vpc_security_group_ids", + "expectedValue": "aws_redshift_cluster[positive1].vpc_security_group_ids should be set", + "actualValue": "aws_redshift_cluster[positive1].vpc_security_group_ids is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/redshift_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_not_encrypted/test/positive_expected_result.json index 5b4ce2d77c9..f000b61b61f 100644 --- a/assets/queries/terraform/aws/redshift_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_not_encrypted/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ - { - "queryName": "Redshift Not Encrypted", - "severity": "HIGH", - "line": 1 - }, - { - "queryName": "Redshift Not Encrypted", - "severity": "HIGH", - "line": 17 - } + { + "queryName": "Redshift Not Encrypted", + "severity": "HIGH", + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive1", + "searchKey": "aws_redshift_cluster[positive1]", + "searchValue": "", + "expectedValue": "aws_redshift_cluster.encrypted should be defined and not null", + "actualValue": "aws_redshift_cluster.encrypted is undefined or null", + "issueType": "MissingAttribute" + }, + { + "queryName": "Redshift Not Encrypted", + "severity": "HIGH", + "line": 17, + "filename": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive2", + "searchKey": "aws_redshift_cluster[positive2].encrypted", + "searchValue": "", + "expectedValue": "aws_redshift_cluster.encrypted should be set to false", + "actualValue": "aws_redshift_cluster.encrypted is true", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/aws/redshift_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_publicly_accessible/test/positive_expected_result.json index 548637b2980..dcceb19d953 100644 --- a/assets/queries/terraform/aws/redshift_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_publicly_accessible/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive1", + "searchKey": "aws_redshift_cluster[positive1]", + "searchValue": "", + "expectedValue": "aws_redshift_cluster.publicly_accessible should be defined and not null", + "actualValue": "aws_redshift_cluster.publicly_accessible is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 17 + "line": 17, + "filename": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive2", + "searchKey": "aws_redshift_cluster[positive2].publicly_accessible", + "searchValue": "", + "expectedValue": "aws_redshift_cluster.publicly_accessible should be set to false", + "actualValue": "aws_redshift_cluster.publicly_accessible is true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/redshift_using_default_port/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_using_default_port/test/positive_expected_result.json index e8e8737ce7a..ca4d0e8d381 100644 --- a/assets/queries/terraform/aws/redshift_using_default_port/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_using_default_port/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Redshift Using Default Port", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive1", + "searchKey": "aws_redshift_cluster[positive1]", + "searchValue": "", + "expectedValue": "aws_redshift_cluster.port should be defined and not null", + "actualValue": "aws_redshift_cluster.port is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Redshift Using Default Port", "severity": "LOW", "line": 9, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive2", + "searchKey": "aws_redshift_cluster[positive2].port", + "searchValue": "", + "expectedValue": "aws_redshift_cluster.port should not be set to 5439", + "actualValue": "aws_redshift_cluster.port is set to 5439", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json index 8ea304c9c6f..dcecda069b3 100644 --- a/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json @@ -3,102 +3,221 @@ "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-1].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-1].ingress shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-1].ingress opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 26, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-2].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-2].ingress[1] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-2].ingress[1] opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 39, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-3].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-3].ingress shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-3].ingress opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 60, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-4].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-4].ingress[1] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-4].ingress[1] opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 73, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-5].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-5].ingress shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-5].ingress opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 87, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-6].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-6].ingress shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-6].ingress opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 101, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-7].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-7].ingress shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-7].ingress opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 7, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 17, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 7, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-1] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group_rule[positive3-1] opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 17, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-2", + "searchKey": "aws_security_group_rule[positive3-2]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-2] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group_rule[positive3-2] opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 11, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 30, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 49, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 63, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 82, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 opens the remote desktop port (3389)", + "issueType": "IncorrectValue" }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 96, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 opens the remote desktop port (3389)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/resource_not_using_tags/test/positive_expected_result.json b/assets/queries/terraform/aws/resource_not_using_tags/test/positive_expected_result.json index 337633981da..252f97e0f89 100644 --- a/assets/queries/terraform/aws/resource_not_using_tags/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/resource_not_using_tags/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Resource Not Using Tags", "severity": "INFO", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_acm_certificate", + "resourceName": "cert", + "searchKey": "aws_acm_certificate[{{cert}}]", + "searchValue": "", + "expectedValue": "aws_acm_certificate[{{cert}}].tags should be defined and not null", + "actualValue": "aws_acm_certificate[{{cert}}].tags is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Resource Not Using Tags", "severity": "INFO", "line": 14, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_acm_certificate", + "resourceName": "test", + "searchKey": "aws_acm_certificate[{{cert_2}}].tags", + "searchValue": "", + "expectedValue": "aws_acm_certificate[{{cert_2}}].tags has additional tags defined other than 'Name'", + "actualValue": "aws_acm_certificate[{{cert_2}}].tags does not have additional tags defined other than 'Name'", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/test/positive_expected_result.json index 33e55eeedda..0ae120d8523 100644 --- a/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "REST API With Vulnerable Policy", "severity": "MEDIUM", "line": 15, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_api_gateway_rest_api_policy", + "resourceName": "test", + "searchKey": "aws_api_gateway_rest_api_policy[test].policy", + "searchValue": "", + "expectedValue": "aws_api_gateway_rest_api_policy[test].policy should not have wildcard in 'Action' and 'Principal'", + "actualValue": "aws_api_gateway_rest_api_policy[test].policy has wildcard in 'Action' or 'Principal'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json index b9701be2aa2..2c23b6c1b3b 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json index 87e158ac96f..43216084773 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:AddUserToGroup'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json index a5ef5c51455..923adfa5b97 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json index 778b7cad94f..1bf48cf0ed7 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json index 235e2957902..4e57e3d1e8b 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json index 26052310d14..d256f74e075 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:CreateAccessKey'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json index b95a680f239..fa0a4099e5c 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json index ed344d9f4b6..f5a48046cda 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json index 525fe5c1c92..60233503bfe 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json index 832085a4c0e..46103b35ea7 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json index ab36af18cc2..03dd540192a 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json index 15cbd75d72d..336dad4c267 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json index fd4e74f0462..26fd8683c01 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json index 6d0b68ceaa4..f3a8389c6aa 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:PutRolePolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic should not be associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json index f69e886cad1..7ff2299fddb 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:PutUserPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic should not be associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json index 4c3ee4591ee..41be0b979ea 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json index eff25985df7..279abc96275 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json index d8772c4e53d..8ed2d75fbd5 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json index c0d1c5dc6c7..b33507c1625 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/root_account_has_active_access_keys/test/positive_expected_result.json b/assets/queries/terraform/aws/root_account_has_active_access_keys/test/positive_expected_result.json index 8ba4d93171e..557b13d8c2b 100644 --- a/assets/queries/terraform/aws/root_account_has_active_access_keys/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/root_account_has_active_access_keys/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Root Account Has Active Access Keys", "severity": "HIGH", "line": 2, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_access_key", + "resourceName": "positive1", + "searchKey": "aws_iam_access_key[positive1]", + "searchValue": "", + "expectedValue": "'aws_iam_access_key[positive1].status' should be defined and set to 'Inactive'", + "actualValue": "'aws_iam_access_key[positive1].status' is undefined, that defaults to 'Active'", + "issueType": "MissingAttribute" }, { "queryName": "Root Account Has Active Access Keys", "severity": "HIGH", "line": 4, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_iam_access_key", + "resourceName": "positive2", + "searchKey": "aws_iam_access_key[positive2].status", + "searchValue": "", + "expectedValue": "'aws_iam_access_key[positive2].status' should be defined and set to 'Inactive'", + "actualValue": "'aws_iam_access_key[positive2].status' is set to 'Active'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/route53_record_undefined/test/positive_expected_result.json b/assets/queries/terraform/aws/route53_record_undefined/test/positive_expected_result.json index 77946d4c1b8..286f8979730 100644 --- a/assets/queries/terraform/aws/route53_record_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/route53_record_undefined/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "Route53 Record Undefined", - "severity": "HIGH", - "line": 8 - } + { + "queryName": "Route53 Record Undefined", + "severity": "HIGH", + "line": 8, + "filename": "positive.tf", + "resourceType": "aws_route53_record", + "resourceName": "test.example.com", + "searchKey": "aws_route53_record[example].records", + "searchValue": "", + "expectedValue": "aws_route53_record.records should be defined", + "actualValue": "aws_route53_record.records is undefined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json index 6bbb854489c..fcd7b9b0f1e 100644 --- a/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", "line": 4, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive1].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive1].policy.Principal should not equal to, nor contain '*'", + "actualValue": "aws_s3_bucket_policy[positive1].policy.Principal is equal to or contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", "line": 12, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy.Principal' should not equal to, nor contain '*'", + "actualValue": "'policy.Principal' is equal to or contains '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json index 67dc0436485..e19041b5117 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 15, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive1].acl=public-read", + "searchValue": "", + "expectedValue": "'acl' should equal to 'private'", + "actualValue": "'acl' is equal 'public-read'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 16, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive2].acl=public-read-write", + "searchValue": "", + "expectedValue": "'acl' should equal to 'private'", + "actualValue": "'acl' is equal 'public-read-write'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 6, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].acl", + "searchValue": "", + "expectedValue": "'acl' should equal to 'private'", + "actualValue": "'acl' is equal 'public-read'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 6, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].acl", + "searchValue": "", + "expectedValue": "'acl' should equal to 'private'", + "actualValue": "'acl' is equal 'public-read-write'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 20, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_s3_bucket_acl", + "resourceName": "example_bucket_acl", + "searchKey": "aws_s3_bucket_acl[example_bucket_acl].acl", + "searchValue": "", + "expectedValue": "aws_s3_bucket_acl[example_bucket_acl].acl should be private", + "actualValue": "aws_s3_bucket_acl[public-read].acl is %!s(MISSING)", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 20, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "aws_s3_bucket_acl", + "resourceName": "example_bucket_acl", + "searchKey": "aws_s3_bucket_acl[example_bucket_acl].acl", + "searchValue": "", + "expectedValue": "aws_s3_bucket_acl[example_bucket_acl].acl should be private", + "actualValue": "aws_s3_bucket_acl[public-read-write].acl is %!s(MISSING)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json index 61a32dc2ac8..44a7b9e1be7 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 16, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive1].acl", + "searchValue": "", + "expectedValue": "aws_s3_bucket[positive1].acl should be private", + "actualValue": "aws_s3_bucket[positive1].acl is authenticated-read", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 6, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].acl", + "searchValue": "", + "expectedValue": "'acl' should be private", + "actualValue": "'acl' is authenticated-read", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 20, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_s3_bucket_acl", + "resourceName": "example_bucket_acl", + "searchKey": "aws_s3_bucket_acl[example_bucket_acl].acl", + "searchValue": "", + "expectedValue": "aws_s3_bucket_acl[example_bucket_acl].acl should be private", + "actualValue": "aws_s3_bucket_acl[example_bucket_acl].acl is authenticated-read", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/test/positive_expected_result.json index 856b0ebf754..3c51e4cf41e 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "S3 Bucket ACL Grants WRITE_ACP Permission", "severity": "CRITICAL", "line": 16, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_acl", + "resourceName": "example", + "searchKey": "aws_s3_bucket_acl[example].access_control_policy.grant.permission", + "searchValue": "", + "expectedValue": "Should not be granted Write_ACP permission to the aws_s3_bucket_acl", + "actualValue": "Write_ACP permission is granted to the aws_s3_bucket_acl", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket ACL Grants WRITE_ACP Permission", "severity": "CRITICAL", "line": 23, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket_acl", + "resourceName": "example", + "searchKey": "aws_s3_bucket_acl[example].access_control_policy.grant[1].permission", + "searchValue": "", + "expectedValue": "Should not be granted Write_ACP permission to the aws_s3_bucket_acl", + "actualValue": "Write_ACP permission is granted to the aws_s3_bucket_acl", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json index 41c4374ceb8..630a35cb95d 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 4, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive1].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive1].policy.Action should not be a 'Delete' action", + "actualValue": "aws_s3_bucket_policy[positive1].policy.Action is a 'Delete' action", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 4, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive2].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive2].policy.Action should not be a 'Delete' action", + "actualValue": "aws_s3_bucket_policy[positive2].policy.Action is a 'Delete' action", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 12, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' should not be a 'Delete' action", + "actualValue": "'policy.Statement.Action' is a 'Delete' action", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 37, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${var.positive4}", + "searchKey": "aws_s3_bucket_policy[positive4].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive4].policy.Action should not be a 'Delete' action", + "actualValue": "aws_s3_bucket_policy[positive4].policy.Action is a 'Delete' action", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 37, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${var.positive5}", + "searchKey": "aws_s3_bucket_policy[positive5].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive5].policy.Action should not be a 'Delete' action", + "actualValue": "aws_s3_bucket_policy[positive5].policy.Action is a 'Delete' action", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 37, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${var.positive6}", + "searchKey": "aws_s3_bucket_policy[positive6].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive6].policy.Action should not be a 'Delete' action", + "actualValue": "aws_s3_bucket_policy[positive6].policy.Action is a 'Delete' action", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json index 7981794f047..482ac304458 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", "line": 17, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive2].policy.Action", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive2].policy.Action should not be a 'Get' action", + "actualValue": "aws_s3_bucket_policy[positive2].policy.Action is a 'Get' action", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", "line": 42, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive3].policy.Action", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive3].policy.Action should not be a 'Get' action", + "actualValue": "aws_s3_bucket_policy[positive3].policy.Action is a 'Get' action", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", "line": 23, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy.Action", + "searchValue": "", + "expectedValue": "module[s3_bucket].policy.Action should not be a 'Get' action", + "actualValue": "module[s3_bucket].policy.Action is a 'Get' action", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json index 1e69808740d..1929e85a5a7 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", "line": 4, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive1].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' should not be a 'List' action when 'policy.Statement.Principal' contains '*'", + "actualValue": "'policy.Statement.Action' is a 'List' action when 'policy.Statement.Principal' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", "line": 4, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive2].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' should not be a 'List' action when 'policy.Statement.Principal' contains '*'", + "actualValue": "'policy.Statement.Action' is a 'List' action when 'policy.Statement.Principal' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", "line": 12, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' should not be a 'List' action when 'policy.Statement.Principal' contains '*'", + "actualValue": "'policy.Statement.Action' is a 'List' action when 'policy.Statement.Principal' contains '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json index dfa66d99198..80f3fa1d260 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json @@ -2,25 +2,53 @@ { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", - "line": 18, - "filename": "positive1.tf" + "line": 8, + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "positive2", + "searchKey": "aws_s3_bucket_public_access_block[positive2].block_public_acls", + "searchValue": "", + "expectedValue": "'block_public_acls' should equal 'true'", + "actualValue": "'block_public_acls' is equal 'false'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", - "line": 8, - "filename": "positive1.tf" + "line": 18, + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "positive3", + "searchKey": "aws_s3_bucket_public_access_block[positive3]", + "searchValue": "", + "expectedValue": "'block_public_acls' should equal 'true'", + "actualValue": "'block_public_acls' is missing", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", - "line": 1, - "filename": "positive3.tf" + "line": 8, + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].block_public_acls", + "searchValue": "", + "expectedValue": "'block_public_acls' should equal 'true'", + "actualValue": "'block_public_acls' is equal 'false'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", - "line": 8, - "filename": "positive2.tf" + "line": 1, + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket]", + "searchValue": "", + "expectedValue": "'block_public_acls' should equal 'true'", + "actualValue": "'block_public_acls' is missing", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json index 0e3bc74d02b..0e611f16da9 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 4, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive1].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive1].policy.Statement.Action should not be a 'Put' action", + "actualValue": "aws_s3_bucket_policy[positive1].policy.Statement.Action is a 'Put' action", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 5, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive2].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive2].policy.Statement.Action should not be a 'Put' action", + "actualValue": "aws_s3_bucket_policy[positive2].policy.Statement.Action is a 'Put' action", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 12, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' should not be a 'Put' action", + "actualValue": "'policy.Statement.Action' is a 'Put' action", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/positive_expected_result.json index 7bfe21c6235..0e3070b7b24 100644 --- a/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "S3 Bucket Logging Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive1]", + "searchValue": "", + "expectedValue": "'logging' should be defined and not null", + "actualValue": "'logging' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Logging Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket]", + "searchValue": "", + "expectedValue": "'logging' should be defined and not null", + "actualValue": "'logging' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Logging Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-example-bucket", + "searchKey": "aws_s3_bucket[examplee]", + "searchValue": "", + "expectedValue": "'logging' should be defined and not null", + "actualValue": "'logging' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/s3_bucket_notifications_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_notifications_disabled/test/positive_expected_result.json index d2ca784af21..09b4c0f55bf 100644 --- a/assets/queries/terraform/aws/s3_bucket_notifications_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_notifications_disabled/test/positive_expected_result.json @@ -3,72 +3,156 @@ "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 6, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_sns_topic", + "resourceName": "s3-event-notification-topic", + "searchKey": "aws_sns_topic[topic2]", + "searchValue": "", + "expectedValue": "aws_sns_topic.topic2 should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_sns_topic.topic2 is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute" }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", - "line": 6, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive10.tf", + "resourceType": "aws_sns_topic", + "resourceName": "s3-event-notification-topic", + "searchKey": "aws_sns_topic[topic1]", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_notification' should be defined and not null", + "actualValue": "'aws_s3_bucket_notification' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", - "line": 14, - "fileName": "positive3.tf" + "line": 1, + "filename": "positive11.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "s3-event-notification-queue", + "searchKey": "aws_sqs_queue[queue]", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_notification' should be defined and not null", + "actualValue": "'aws_s3_bucket_notification' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 1, - "fileName": "positive4.tf" + "filename": "positive12.tf", + "resourceType": "aws_lambda_function", + "resourceName": "aws_lambda_function", + "searchKey": "aws_lambda_function[func]", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_notification' should be defined and not null", + "actualValue": "'aws_s3_bucket_notification' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", - "line": 1, - "fileName": "positive5.tf" + "line": 6, + "filename": "positive2.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "s3-event-notification-queue", + "searchKey": "aws_sqs_queue[queue2]", + "searchValue": "", + "expectedValue": "aws_sqs_queue.queue2 should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_sqs_queue.queue2 is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute" }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", - "line": 6, - "fileName": "positive6.tf" + "line": 14, + "filename": "positive3.tf", + "resourceType": "aws_lambda_function", + "resourceName": "func2", + "searchKey": "aws_lambda_function[func2]", + "searchValue": "", + "expectedValue": "aws_lambda_function.func2 should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_lambda_function.func2 is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute" }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 1, - "fileName": "positive7.tf" + "filename": "positive4.tf", + "resourceType": "aws_sns_topic", + "resourceName": "s3-event-notification-topic", + "searchKey": "aws_sns_topic[topic]", + "searchValue": "", + "expectedValue": "aws_sns_topic.topic should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_sns_topic.topic is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute" }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 1, - "fileName": "positive8.tf" + "filename": "positive5.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "s3-event-notification-queue", + "searchKey": "aws_sqs_queue[queue]", + "searchValue": "", + "expectedValue": "aws_sqs_queue.queue should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_sqs_queue.queue is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute" }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 6, - "fileName": "positive9.tf" + "filename": "positive6.tf", + "resourceType": "aws_lambda_function", + "resourceName": "func", + "searchKey": "aws_lambda_function[func]", + "searchValue": "", + "expectedValue": "aws_lambda_function.func should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_lambda_function.func is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute" }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 1, - "fileName": "positive10.tf" + "filename": "positive7.tf", + "resourceType": "aws_sns_topic", + "resourceName": "s3-event-notification-topic", + "searchKey": "aws_sns_topic[topic]", + "searchValue": "", + "expectedValue": "aws_sns_topic.topic should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_sns_topic.topic is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute" }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 1, - "fileName": "positive11.tf" + "filename": "positive8.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "s3-event-notification-queue", + "searchKey": "aws_sqs_queue[queue]", + "searchValue": "", + "expectedValue": "aws_sqs_queue.queue should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_sqs_queue.queue is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute" }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", - "line": 1, - "fileName": "positive12.tf" + "line": 6, + "filename": "positive9.tf", + "resourceType": "aws_lambda_function", + "resourceName": "func", + "searchKey": "aws_lambda_function[func]", + "searchValue": "", + "expectedValue": "aws_lambda_function.func should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_lambda_function.func is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/test/positive_expected_result.json index 63d60edca4a..55424177865 100644 --- a/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "S3 Bucket Object Level CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "tf-trail-foobar", + "searchKey": "aws_cloudtrail[example].event_selector", + "searchValue": "", + "expectedValue": "'read_write_type' should be defined and not null", + "actualValue": "'read_write_type' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Object Level CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "tf-trail-foobar", + "searchKey": "aws_cloudtrail[example2].event_selector.read_write_type", + "searchValue": "", + "expectedValue": "'read_write_type' should be set to 'All'", + "actualValue": "'read_write_type' is not set to 'All'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/test/positive_expected_result.json index 56dd83eff00..4f2ec42d08b 100644 --- a/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "S3 Bucket Object Not Encrypted", "severity": "HIGH", "line": 14, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_object", + "resourceName": "${aws_s3_bucket.examplebucket.id}", + "searchKey": "aws_s3_bucket_object[{{examplebucket_object}}]", + "searchValue": "", + "expectedValue": "aws_s3_bucket_object.server_side_encryption should be defined and not null", + "actualValue": "aws_s3_bucket_object.server_side_encryption is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/test/positive_expected_result.json index 8aeb9a50521..0ddc5a50dc1 100644 --- a/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "S3 Bucket Policy Accepts HTTP Requests", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[b].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[b].policy should not accept HTTP Requests", + "actualValue": "aws_s3_bucket_policy[b].policy accepts HTTP Requests", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Policy Accepts HTTP Requests", "severity": "MEDIUM", "line": 4, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[b2].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket[b2].policy should not accept HTTP Requests", + "actualValue": "aws_s3_bucket[b2].policy accepts HTTP Requests", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Policy Accepts HTTP Requests", "severity": "MEDIUM", "line": 12, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy' should not accept HTTP Requests", + "actualValue": "'policy' accepts HTTP Requests", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Policy Accepts HTTP Requests", "severity": "MEDIUM", "line": 32, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "a", + "searchKey": "aws_s3_bucket[pos4].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket[pos4].policy should not accept HTTP Requests", + "actualValue": "aws_s3_bucket[pos4].policy accepts HTTP Requests", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Policy Accepts HTTP Requests", "severity": "MEDIUM", "line": 32, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "a", + "searchKey": "aws_s3_bucket[pos5].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket[pos5].policy should not accept HTTP Requests", + "actualValue": "aws_s3_bucket[pos5].policy accepts HTTP Requests", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/test/positive_expected_result.json index ad88c555262..054a3e1ba03 100644 --- a/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "S3 Bucket Public ACL Overridden By Public Access Block", "severity": "HIGH", "line": 16, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "bucket-with-public-acl-3", + "searchKey": "aws_s3_bucket[public-bucket].acl", + "searchValue": "", + "expectedValue": "S3 Bucket public ACL to not be overridden by S3 bucket Public Access Block", + "actualValue": "S3 Bucket public ACL is overridden by S3 bucket Public Access Block", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Public ACL Overridden By Public Access Block", "severity": "HIGH", "line": 7, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].acl", + "searchValue": "", + "expectedValue": "S3 Bucket public ACL to not be overridden by public access block", + "actualValue": "S3 Bucket public ACL is overridden by public access block", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Public ACL Overridden By Public Access Block", "severity": "HIGH", "line": 20, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_s3_bucket_acl", + "resourceName": "example_bucket_acl", + "searchKey": "aws_s3_bucket_acl[example_bucket_acl].acl", + "searchValue": "", + "expectedValue": "S3 Bucket public ACL to not be overridden by S3 bucket Public Access Block", + "actualValue": "S3 Bucket public ACL is overridden by S3 bucket Public Access Block", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json index 8d782699d0b..f1e2e3947b9 100644 --- a/assets/queries/terraform/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "S3 Bucket With All Permissions", "severity": "CRITICAL", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "S3B_181355", + "searchKey": "aws_s3_bucket[positive1].policy", + "searchValue": "", + "expectedValue": "'policy.Statement' should not allow all actions to all principal", + "actualValue": "'policy.Statement' allows all actions to all principal", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket With All Permissions", "severity": "CRITICAL", "line": 12, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy.Statement' should not allow all actions to all principal", + "actualValue": "'policy.Statement' allows all actions to all principal", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json index 8eb282dc0e2..19ac05aff02 100644 --- a/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json @@ -3,60 +3,130 @@ "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", "line": 11, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false", + "issueType": "IncorrectValue" + }, + { + "queryName": "S3 Bucket Allows Public Policy", + "severity": "MEDIUM", + "line": 1, + "filename": "positive10.tf", + "resourceType": "aws_s3_account_public_access_block", + "resourceName": "allow_public_acc", + "searchKey": "aws_s3_account_public_access_block[allow_public_acc]", + "searchValue": "", + "expectedValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' is not defined (defaults to false)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", "line": 12, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", "line": 9, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public]", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is not defined (defaults to false)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", "line": 9, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public]", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is not defined (defaults to false)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", "line": 11, - "filename": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", "line": 5, - "filename": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public]", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is not defined (defaults to false)", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", "line": 7, - "filename": "positive7.tf" + "filename": "positive7.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", "line": 11, - "filename": "positive8.tf" + "filename": "positive8.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", "line": 2, - "filename": "positive9.tf" - }, - { - "queryName": "S3 Bucket Allows Public Policy", - "severity": "MEDIUM", - "line": 1, - "filename": "positive10.tf" + "filename": "positive9.tf", + "resourceType": "aws_s3_account_public_access_block", + "resourceName": "allow_public_acc", + "searchKey": "aws_s3_account_public_access_block[allow_public_acc].block_public_policy", + "searchValue": "", + "expectedValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' is defined to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json index 77bc3176924..52d5283f0c7 100644 --- a/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", "line": 27, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive1].cors_rule", + "searchValue": "", + "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", + "actualValue": "'cors_rule' allows all methods, all headers or several origins", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", "line": 27, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive2].cors_rule", + "searchValue": "", + "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", + "actualValue": "'cors_rule' allows all methods, all headers or several origins", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", "line": 16, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].cors_rule", + "searchValue": "", + "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", + "actualValue": "'cors_rule' allows all methods, all headers or several origins", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", "line": 16, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].cors_rule", + "searchValue": "", + "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", + "actualValue": "'cors_rule' allows all methods, all headers or several origins", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", "line": 26, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_s3_bucket_cors_configuration", + "resourceName": "example", + "searchKey": "aws_s3_bucket_cors_configuration[example].cors_rule", + "searchValue": "", + "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", + "actualValue": "'cors_rule' allows all methods, all headers or several origins", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json index 63c2be9e202..137e2b5c3f2 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json @@ -3,60 +3,130 @@ "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 23, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive1].versioning", + "searchValue": "mfa_delete", + "expectedValue": "'mfa_delete' should be set to true", + "actualValue": "'mfa_delete' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 25, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive2].versioning.mfa_delete", + "searchValue": "", + "expectedValue": "'mfa_delete' should be set to true", + "actualValue": "'mfa_delete' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", - "line": 24, - "fileName": "positive3.tf" + "line": 23, + "filename": "positive3.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive3].versioning", + "searchValue": "mfa_delete", + "expectedValue": "'mfa_delete' should be set to true", + "actualValue": "'mfa_delete' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", - "line": 23, - "fileName": "positive3.tf" + "line": 24, + "filename": "positive3.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive3].versioning.enabled", + "searchValue": "", + "expectedValue": "'enabled' should be set to true", + "actualValue": "'enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 8, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].versioning", + "searchValue": "mfa_delete", + "expectedValue": "'mfa_delete' should be set to true", + "actualValue": "'mfa_delete' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 10, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].versioning.mfa_delete", + "searchValue": "", + "expectedValue": "'mfa_delete' should be set to true", + "actualValue": "'mfa_delete' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 8, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].versioning", + "searchValue": "mfa_delete", + "expectedValue": "'mfa_delete' should be set to true", + "actualValue": "'mfa_delete' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 9, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].versioning.enabled", + "searchValue": "", + "expectedValue": "'enabled' should be set to true", + "actualValue": "'enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 28, - "fileName": "positive7.tf" + "filename": "positive7.tf", + "resourceType": "aws_s3_bucket_versioning", + "resourceName": "example2", + "searchKey": "aws_s3_bucket_versioning[example2].versioning_configuration.mfa_delete", + "searchValue": "", + "expectedValue": "'versioning_configuration.mfa_delete' should be set to 'Enabled'", + "actualValue": "'versioning_configuration.mfa_delete' is set to 'Disabled'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 27, - "fileName": "positive8.tf" + "filename": "positive8.tf", + "resourceType": "aws_s3_bucket_versioning", + "resourceName": "example", + "searchKey": "aws_s3_bucket_versioning[example].versioning_configuration.status", + "searchValue": "", + "expectedValue": "'versioning_configuration.status' should be set to 'Enabled'", + "actualValue": "'versioning_configuration.status' is set to 'Disabled'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json index 1eaad588316..194ac0e1e4d 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 10, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "positive2", + "searchKey": "aws_s3_bucket_public_access_block[positive2].ignore_public_acls", + "searchValue": "", + "expectedValue": "'ignore_public_acls' should equal 'true'", + "actualValue": "'ignore_public_acls' is equal 'false'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 7, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].ignore_public_acls", + "searchValue": "", + "expectedValue": "'ignore_public_acls' should equal 'true'", + "actualValue": "'ignore_public_acls' is equal 'false'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 1, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].ignore_public_acls", + "searchValue": "", + "expectedValue": "'ignore_public_acls' should equal 'true'", + "actualValue": "'ignore_public_acls' is missing", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 5, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "positive2", + "searchKey": "aws_s3_bucket_public_access_block[positive2]", + "searchValue": "", + "expectedValue": "'ignore_public_acls' should equal 'true'", + "actualValue": "'ignore_public_acls' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json index e50007430c7..0232301b8ab 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 13, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "restrict_public", + "searchKey": "aws_s3_bucket_public_access_block[restrict_public].restrict_public_buckets", + "searchValue": "", + "expectedValue": "'restrict_public_buckets' should equal 'true'", + "actualValue": "'restrict_public_buckets' is equal to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 14, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "restrict_public", + "searchKey": "aws_s3_bucket_public_access_block[restrict_public].restrict_public_buckets", + "searchValue": "", + "expectedValue": "'restrict_public_buckets' should equal 'true'", + "actualValue": "'restrict_public_buckets' is equal to 'false'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/s3_bucket_without_versioning/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_versioning/test/positive_expected_result.json index 4676cedc78b..82fb79b9edc 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_versioning/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_versioning/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 24, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive1].versioning.enabled", + "searchValue": "", + "expectedValue": "'versioning.enabled' should be true", + "actualValue": "'versioning.enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 14, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive2]", + "searchValue": "", + "expectedValue": "'versioning' should be true", + "actualValue": "'versioning' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 23, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive3].versioning", + "searchValue": "", + "expectedValue": "'versioning.enabled' should be true", + "actualValue": "'versioning.enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 10, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].versioning.enabled", + "searchValue": "", + "expectedValue": "'versioning.enabled' should be true", + "actualValue": "'versioning.enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 9, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].versioning", + "searchValue": "", + "expectedValue": "'versioning.enabled' should be true", + "actualValue": "'versioning.enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 1, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket]", + "searchValue": "", + "expectedValue": "'versioning' should be true", + "actualValue": "'versioning' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 27, - "fileName": "positive7.tf" + "filename": "positive7.tf", + "resourceType": "aws_s3_bucket_versioning", + "resourceName": "example", + "searchKey": "aws_s3_bucket_versioning[example].versioning_configuration.status", + "searchValue": "", + "expectedValue": "'versioning_configuration.status' should be set to 'Enabled'", + "actualValue": "'versioning_configuration.status' is set to 'Suspended'", + "issueType": "IncorrectValue" }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 14, - "fileName": "positive8.tf" + "filename": "positive8.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[b2]", + "searchValue": "", + "expectedValue": "'versioning' should be true", + "actualValue": "'versioning' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/s3_static_website_host_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_static_website_host_enabled/test/positive_expected_result.json index 1f7bdb12744..6f0ce4bfedd 100644 --- a/assets/queries/terraform/aws/s3_static_website_host_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_static_website_host_enabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "S3 Static Website Host Enabled", "severity": "HIGH", "line": 18, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "s3-website-test.hashicorp.com", + "searchKey": "resource.aws_s3_bucket[positive1].website", + "searchValue": "", + "expectedValue": "resource.aws_s3_bucket[positive1].website to not have static websites inside", + "actualValue": "resource.aws_s3_bucket[positive1].website does have static websites inside", + "issueType": "IncorrectValue" }, { "queryName": "S3 Static Website Host Enabled", "severity": "HIGH", "line": 12, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].website", + "searchValue": "", + "expectedValue": "'website' to not have static websites inside", + "actualValue": "'website' does have static websites inside", + "issueType": "IncorrectValue" }, { "queryName": "S3 Static Website Host Enabled", "severity": "HIGH", "line": 15, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[buc]", + "searchValue": "", + "expectedValue": "'aws_s3_bucket' to not have 'aws_s3_bucket_website_configuration' associated", + "actualValue": "'aws_s3_bucket' has 'aws_s3_bucket_website_configuration' associated", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/test/positive_expected_result.json index fdcc66ac487..ad74016d8ef 100644 --- a/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Sagemaker Endpoint Configuration Encryption Disabled", "severity": "HIGH", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_sagemaker_endpoint_configuration", + "resourceName": "my-endpoint-config", + "searchKey": "aws_sagemaker_endpoint_configuration[positive]", + "searchValue": "", + "expectedValue": "aws_sagemaker_endpoint_configuration[positive] should be defined and not null", + "actualValue": "aws_sagemaker_endpoint_configuration[positive] is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/test/positive_expected_result.json index 44f24216665..ffc9c2242d8 100644 --- a/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Sagemaker Notebook Instance Without KMS", "severity": "HIGH", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_sagemaker_notebook_instance", + "resourceName": "my-notebook-instance", + "searchKey": "aws_sagemaker_notebook_instance[{{ni}}]", + "searchValue": "", + "expectedValue": "aws_sagemaker_notebook_instance.kms_key_id should be defined and not null", + "actualValue": "aws_sagemaker_notebook_instance.kms_key_id is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/test/positive_expected_result.json index cf616bbf4f3..61dc98aa3e8 100644 --- a/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Secrets Manager With Vulnerable Policy", "severity": "HIGH", "line": 12, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_secretsmanager_secret_policy", + "resourceName": "example", + "searchKey": "aws_secretsmanager_secret_policy[example].policy", + "searchValue": "", + "expectedValue": "aws_secretsmanager_secret_policy[example].policy should not have wildcard in 'Principal' and 'Action'", + "actualValue": "aws_secretsmanager_secret_policy[example].policy has wildcard in 'Principal' or 'Action'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/test/positive_expected_result.json b/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/test/positive_expected_result.json index aeec1843978..722d1f5df2a 100644 --- a/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Secretsmanager Secret Encrypted With AWS Managed Key", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_secretsmanager_secret", + "resourceName": "test-cloudrail-1", + "searchKey": "aws_secretsmanager_secret[test2].kms_key_id", + "searchValue": "", + "expectedValue": "Secrets Manager secret should not be encrypted with AWS managed key", + "actualValue": "Secrets Manager secret is encrypted with AWS managed key", + "issueType": "IncorrectValue" }, { "queryName": "Secretsmanager Secret Encrypted With AWS Managed Key", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_secretsmanager_secret", + "resourceName": "test-cloudrail-1", + "searchKey": "aws_secretsmanager_secret[test].kms_key_id", + "searchValue": "", + "expectedValue": "Secrets Manager secret should not be encrypted with AWS managed key", + "actualValue": "Secrets Manager secret is encrypted with AWS managed key", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json index d3799197712..43f8e2bae56 100644 --- a/assets/queries/terraform/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Secretsmanager Secret Without KMS", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_secretsmanager_secret", + "resourceName": "example", + "searchKey": "aws_secretsmanager_secret[{{example}}]", + "searchValue": "", + "expectedValue": "aws_secretsmanager_secret.kms_key_id should be defined and not null", + "actualValue": "aws_secretsmanager_secret.kms_key_id is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/secure_ciphers_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/secure_ciphers_disabled/test/positive_expected_result.json index 7de94a38420..181c999383f 100644 --- a/assets/queries/terraform/aws/secure_ciphers_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/secure_ciphers_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Secure Ciphers Disabled", "severity": "MEDIUM", - "line": 42 + "line": 42, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive1", + "searchKey": "resource.aws_cloudfront_distribution[positive1].viewer_certificate.minimum_protocol_version", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive1].viewer_certificate.minimum_protocol_version should start with TLSv1.1 or TLSv1.2", + "actualValue": "resource.aws_cloudfront_distribution[positive1].viewer_certificate.minimum_protocol_version doesn't start with TLSv1.1 or TLSv1.2", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/security_group_rules_without_description/test/positive_expected_result.json b/assets/queries/terraform/aws/security_group_rules_without_description/test/positive_expected_result.json index d8ffad946ed..af63f134165 100644 --- a/assets/queries/terraform/aws/security_group_rules_without_description/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/security_group_rules_without_description/test/positive_expected_result.json @@ -3,108 +3,234 @@ "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 3, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1", + "searchKey": "aws_security_group[positive1].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1].ingress.description should be defined and not null", + "actualValue": "aws_security_group[positive1].ingress.description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 11, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1", + "searchKey": "aws_security_group[positive1].egress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1].egress.description should be defined and not null", + "actualValue": "aws_security_group[positive1].egress.description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 3, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_security_group", + "resourceName": "positive2-1", + "searchKey": "aws_security_group[positive2-1].ingress.0", + "searchValue": "", + "expectedValue": "aws_security_group[positive2-1].ingress[0].description should be defined and not null", + "actualValue": "aws_security_group[positive2-1].ingress[0].description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 10, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_security_group", + "resourceName": "positive2-1", + "searchKey": "aws_security_group[positive2-1].ingress.1", + "searchValue": "", + "expectedValue": "aws_security_group[positive2-1].ingress[1].description should be defined and not null", + "actualValue": "aws_security_group[positive2-1].ingress[1].description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 20, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_security_group", + "resourceName": "positive2-2", + "searchKey": "aws_security_group[positive2-2].egress.0", + "searchValue": "", + "expectedValue": "aws_security_group[positive2-2].egress[0].description should be defined and not null", + "actualValue": "aws_security_group[positive2-2].egress[0].description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 27, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_security_group", + "resourceName": "positive2-2", + "searchKey": "aws_security_group[positive2-2].egress.1", + "searchValue": "", + "expectedValue": "aws_security_group[positive2-2].egress[1].description should be defined and not null", + "actualValue": "aws_security_group[positive2-2].egress[1].description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 1, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-1].description should be defined and not null", + "actualValue": "aws_security_group_rule[positive3-1].description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 10, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-2", + "searchKey": "aws_security_group_rule[positive3-2]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-2].description should be defined and not null", + "actualValue": "aws_security_group_rule[positive3-2].description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 1, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive4-1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive4-1]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive4-1].description should be defined and not null", + "actualValue": "aws_vpc_security_group_ingress_rule[positive4-1].description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 8, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_vpc_security_group_egress_rule", + "resourceName": "positive4-2", + "searchKey": "aws_vpc_security_group_egress_rule[positive4-2]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_egress_rule[positive4-2].description should be defined and not null", + "actualValue": "aws_vpc_security_group_egress_rule[positive4-2].description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 6, - "filename": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv4_array].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[positive5_ipv4_array].ingress_with_cidr_blocks.0.description should be defined and not null", + "actualValue": "module[positive5_ipv4_array].ingress_with_cidr_blocks.0.description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 12, - "filename": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv4_array].ingress_with_cidr_blocks.1", + "searchValue": "", + "expectedValue": "module[positive5_ipv4_array].ingress_with_cidr_blocks.1.description should be defined and not null", + "actualValue": "module[positive5_ipv4_array].ingress_with_cidr_blocks.1.description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 21, - "filename": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv4_array].egress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.0.description should be defined and not null", + "actualValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.0.description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 27, - "filename": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv4_array].egress_with_cidr_blocks.1", + "searchValue": "", + "expectedValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.1.description should be defined and not null", + "actualValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.1.description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 40, - "filename": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.0.description should be defined and not null", + "actualValue": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.0.description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 46, - "filename": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.1", + "searchValue": "", + "expectedValue": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.1.description should be defined and not null", + "actualValue": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.1.description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 55, - "filename": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.0.description should be defined and not null", + "actualValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.0.description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 61, - "filename": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.1", + "searchValue": "", + "expectedValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.1.description should be defined and not null", + "actualValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.1.description is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json index 989ca124d35..479c5a485fd 100644 --- a/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -3,102 +3,221 @@ "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-1].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-1].ingress 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-1].ingress 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 26, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-2].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-2].ingress[1] 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-2].ingress[1] 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 39, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-3].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-3].ingress 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-3].ingress 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 60, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-4].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-4].ingress[1] 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-4].ingress[1] 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 73, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-5].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-5].ingress 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-5].ingress 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 87, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-6].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-6].ingress 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-6].ingress 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 101, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-7].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-7].ingress 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-7].ingress 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] 'SSH' (Port:22) should not be open", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 17, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] 'SSH' (Port:22) should not be open", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 7, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-1] 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group_rule[positive3-1] 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 17, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-2", + "searchKey": "aws_security_group_rule[positive3-2]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-2] 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group_rule[positive3-2] 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 11, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 'SSH' (Port:22) should not be open", + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 30, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 'SSH' (Port:22) should not be open", + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 49, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 'SSH' (Port:22) should not be open", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 63, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 'SSH' (Port:22) should not be open", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 82, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 'SSH' (Port:22) should not be open", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 96, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 'SSH' (Port:22) should not be open", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 'SSH' (Port:22) is open", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/security_group_without_description/test/positive_expected_result.json b/assets/queries/terraform/aws/security_group_without_description/test/positive_expected_result.json index a5367983018..4567071f326 100644 --- a/assets/queries/terraform/aws/security_group_without_description/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/security_group_without_description/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Security Group Without Description", "severity": "INFO", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-1", + "searchKey": "aws_security_group[positive1-1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-1] description should be defined and not null", + "actualValue": "aws_security_group[positive1-1] description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Without Description", "severity": "INFO", "line": 7, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-2", + "searchKey": "aws_security_group[positive1-2]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-2] description should be defined and not null", + "actualValue": "aws_security_group[positive1-2] description is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group Without Description", "severity": "INFO", "line": 1, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive2-1]", + "searchValue": "", + "expectedValue": "module[positive2-1] description should be defined and not null", + "actualValue": "module[positive2-1] description is undefined or null", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Without Description", "severity": "INFO", "line": 10, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive2-2]", + "searchValue": "", + "expectedValue": "module[positive2-2] description should be defined and not null", + "actualValue": "module[positive2-2] description is undefined or null", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/security_groups_not_used/test/positive_expected_result.json b/assets/queries/terraform/aws/security_groups_not_used/test/positive_expected_result.json index 3ccca1415d6..cef644b07dc 100644 --- a/assets/queries/terraform/aws/security_groups_not_used/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/security_groups_not_used/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Security Group Not Used", "severity": "INFO", "line": 8, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[allow_tls]", + "searchValue": "", + "expectedValue": "'aws_security_group[allow_tls]' should be used", + "actualValue": "'aws_security_group[allow_tls]' is not used", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Not Used", "severity": "INFO", "line": 15, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_security_group", + "resourceName": "unused-sg", + "searchKey": "aws_security_group[unused-sg]", + "searchValue": "", + "expectedValue": "'aws_security_group[unused-sg]' should be used", + "actualValue": "'aws_security_group[unused-sg]' is not used", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Not Used", "severity": "INFO", "line": 19, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group", + "resourceName": "unused-sg", + "searchKey": "aws_security_group[unused_sg]", + "searchValue": "", + "expectedValue": "'aws_security_group[unused_sg]' should be used", + "actualValue": "'aws_security_group[unused_sg]' is not used", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Not Used", "severity": "INFO", "line": 21, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_security_group", + "resourceName": "unused-sg", + "searchKey": "aws_security_group[unused_sg]", + "searchValue": "", + "expectedValue": "'aws_security_group[unused_sg]' should be used", + "actualValue": "'aws_security_group[unused_sg]' is not used", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Not Used", "severity": "INFO", "line": 1, - "filename": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_security_group", + "resourceName": "example", + "searchKey": "aws_security_group[example]", + "searchValue": "", + "expectedValue": "'aws_security_group[example]' should be used", + "actualValue": "'aws_security_group[example]' is not used", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Not Used", "severity": "INFO", "line": 1, - "filename": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "aws_security_group", + "resourceName": "default_name", + "searchKey": "aws_security_group[default_name]", + "searchValue": "", + "expectedValue": "'aws_security_group[default_name]' should be used", + "actualValue": "'aws_security_group[default_name]' is not used", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Not Used", "severity": "INFO", "line": 19, - "filename": "positive7.tf" + "filename": "positive7.tf", + "resourceType": "aws_security_group", + "resourceName": "unused-sg", + "searchKey": "aws_security_group[unused_sg]", + "searchValue": "", + "expectedValue": "'aws_security_group[unused_sg]' should be used", + "actualValue": "'aws_security_group[unused_sg]' is not used", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Not Used", "severity": "INFO", "line": 1, - "filename": "positive8.tf" + "filename": "positive8.tf", + "resourceType": "aws_security_group", + "resourceName": "default_name", + "searchKey": "aws_security_group[default_name]", + "searchValue": "", + "expectedValue": "'aws_security_group[default_name]' should be used", + "actualValue": "'aws_security_group[default_name]' is not used", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index c23d7e9ca83..5cb1204e248 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -3,240 +3,520 @@ "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 3, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 3, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 12, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_2", + "searchKey": "aws_security_group[positive1_ipv4_2].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 21, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[0]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 27, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[1]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 38, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 38, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 47, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_2", + "searchKey": "aws_security_group[positive1_ipv6_2].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 56, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[0]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 63, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[1]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 2, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 2, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 9, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 16, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 23, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 32, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 32, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 39, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 46, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 53, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 2, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 2, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 10, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_2", + "searchKey": "aws_security_group_rule[positive3_ipv4_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 18, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_3", + "searchKey": "aws_security_group_rule[positive3_ipv4_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 26, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_4", + "searchKey": "aws_security_group_rule[positive3_ipv4_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 36, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_1", + "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 36, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_1", + "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 44, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_2", + "searchKey": "aws_security_group_rule[positive3_ipv6_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 52, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_3", + "searchKey": "aws_security_group_rule[positive3_ipv6_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 60, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_4", + "searchKey": "aws_security_group_rule[positive3_ipv6_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 5, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 5, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 11, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.1", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 17, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.2", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 23, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 35, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 35, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 41, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.1", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 47, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 53, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json index 96931d2a0c3..97f2aea2c37 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json @@ -1,242 +1,522 @@ [ { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 3, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 3, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 12, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_2", + "searchKey": "aws_security_group[positive1_ipv4_2].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 21, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[0]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 27, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[1]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 38, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 38, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 47, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_2", + "searchKey": "aws_security_group[positive1_ipv6_2].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 56, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[0]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 63, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[1]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 2, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 2, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 9, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 16, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 23, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 32, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 32, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 39, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 46, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 53, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 2, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 2, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 10, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_2", + "searchKey": "aws_security_group_rule[positive3_ipv4_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 18, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_3", + "searchKey": "aws_security_group_rule[positive3_ipv4_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 26, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_4", + "searchKey": "aws_security_group_rule[positive3_ipv4_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 36, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_1", + "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 36, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_1", + "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 44, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_2", + "searchKey": "aws_security_group_rule[positive3_ipv6_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 52, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_3", + "searchKey": "aws_security_group_rule[positive3_ipv6_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 60, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_4", + "searchKey": "aws_security_group_rule[positive3_ipv6_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 5, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 5, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 11, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.1", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 17, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.2", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 23, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 35, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 35, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 41, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.1", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 47, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 53, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json index 721ee508a9a..56bc14bb7ef 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json @@ -3,240 +3,520 @@ "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 3, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 3, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 12, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_2", + "searchKey": "aws_security_group[positive1_ipv4_2].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 21, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[0]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 27, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[1]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 38, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 38, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 47, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_2", + "searchKey": "aws_security_group[positive1_ipv6_2].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 56, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[0]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 63, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[1]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 2, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 2, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 9, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 16, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 23, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 32, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 32, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 39, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 46, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 53, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 2, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 2, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 10, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_2", + "searchKey": "aws_security_group_rule[positive3_ipv4_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 18, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_3", + "searchKey": "aws_security_group_rule[positive3_ipv4_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 26, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_4", + "searchKey": "aws_security_group_rule[positive3_ipv4_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 36, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_1", + "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 36, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_1", + "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 44, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_2", + "searchKey": "aws_security_group_rule[positive3_ipv6_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 52, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_3", + "searchKey": "aws_security_group_rule[positive3_ipv6_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 60, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_4", + "searchKey": "aws_security_group_rule[positive3_ipv6_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 5, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 5, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 11, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.1", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 17, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.2", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 23, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 35, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 35, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 41, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.1", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 47, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 53, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/service_control_policies_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/service_control_policies_disabled/test/positive_expected_result.json index 54eabf1329b..905ae31feed 100644 --- a/assets/queries/terraform/aws/service_control_policies_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/service_control_policies_disabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Service Control Policies Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_organizations_organization", + "resourceName": "positive1", + "searchKey": "aws_organizations_organization[positive1].feature_set", + "searchValue": "", + "expectedValue": "'feature_set' should be set to 'ALL' or undefined", + "actualValue": "'feature_set' is set to 'CONSOLIDATED_BILLING'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json b/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json index e4ff470c989..7a5db066b4b 100644 --- a/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "SES Policy With Allowed IAM Actions", "severity": "HIGH", "line": 4, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_ses_identity_policy", + "resourceName": "example", + "searchKey": "aws_ses_identity_policy[positive1].policy", + "searchValue": "", + "expectedValue": "'policy' should not allow IAM actions to all principals", + "actualValue": "'policy' allows IAM actions to all principals", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/shield_advanced_not_in_use/test/positive_expected_result.json b/assets/queries/terraform/aws/shield_advanced_not_in_use/test/positive_expected_result.json index 28729391b1d..0c8b90a931d 100644 --- a/assets/queries/terraform/aws/shield_advanced_not_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/shield_advanced_not_in_use/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Shield Advanced Not In Use", "severity": "LOW", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_eip", + "resourceName": "positive1", + "searchKey": "aws_eip[positive1]", + "searchValue": "", + "expectedValue": "aws_eip has shield advanced associated", + "actualValue": "aws_eip does not have shield advanced associated", + "issueType": "MissingAttribute" }, { "queryName": "Shield Advanced Not In Use", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_route53_zone", + "resourceName": "example.com", + "searchKey": "aws_route53_zone[positive2]", + "searchValue": "", + "expectedValue": "aws_route53_zone has shield advanced associated", + "actualValue": "aws_route53_zone does not have shield advanced associated", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/test/positive_expected_result.json index 0981ea3bf62..9febcca0905 100644 --- a/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "SNS Topic Encrypted With AWS Managed Key", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_sns_topic", + "resourceName": "user-updates-topic", + "searchKey": "aws_sns_topic[user_updates].kms_master_key_id", + "searchValue": "", + "expectedValue": "SNS Topic should not be encrypted with AWS managed key", + "actualValue": "SNS Topic is encrypted with AWS managed key", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic Encrypted With AWS Managed Key", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_sns_topic", + "resourceName": "sns_ecnrypted", + "searchKey": "aws_sns_topic[test].kms_master_key_id", + "searchValue": "", + "expectedValue": "SNS Topic should not be encrypted with AWS managed key", + "actualValue": "SNS Topic is encrypted with AWS managed key", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json index cd70fcac674..c684f34a5c5 100644 --- a/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json @@ -3,60 +3,130 @@ "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 2, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_sns_topic", + "resourceName": "positive1", + "searchKey": "aws_sns_topic[positive1].policy", + "searchValue": "0", + "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[0].Principal.AWS' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "topic_policy", + "searchValue": "0", + "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[0].Principal.AWS' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 12, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[sns_topic_with_policy_statements_valid].topic_policy_statements[0].principals", + "searchValue": "", + "expectedValue": "'topic_policy_statements[0].principals[0].identifiers' shouldn't contain '*' for an AWS Principal", + "actualValue": "'topic_policy_statements[0].principals[0].identifiers' contains '*' for an AWS Principal", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 12, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[sns_topic_with_policy_statements_not_limited_access].topic_policy_statements[0].principals", + "searchValue": "", + "expectedValue": "'topic_policy_statements[0].principals[0].identifiers' shouldn't contain '*' for an AWS Principal", + "actualValue": "'topic_policy_statements[0].principals[0].identifiers' contains '*' for an AWS Principal", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 2, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_sns_topic", + "resourceName": "positive1", + "searchKey": "aws_sns_topic[positive1].policy", + "searchValue": "0", + "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[0].Principal.AWS' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 2, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "aws_sns_topic", + "resourceName": "positive1", + "searchKey": "aws_sns_topic[positive1].policy", + "searchValue": "2", + "expectedValue": "'Statement[2].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[2].Principal.AWS' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "topic_policy", + "searchValue": "0", + "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[0].Principal.AWS' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "topic_policy", + "searchValue": "2", + "expectedValue": "'Statement[2].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[2].Principal.AWS' contains '*'", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 12, - "fileName": "positive7.tf" + "filename": "positive7.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[sns_topic_with_policy_statements_valid].topic_policy_statements[0].principals", + "searchValue": "", + "expectedValue": "'topic_policy_statements[0].principals[0].identifiers' shouldn't contain '*' for an AWS Principal", + "actualValue": "'topic_policy_statements[0].principals[0].identifiers' contains '*' for an AWS Principal", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 34, - "fileName": "positive7.tf" + "filename": "positive7.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[sns_topic_with_policy_statements_valid].topic_policy_statements[2].principals", + "searchValue": "", + "expectedValue": "'topic_policy_statements[2].principals[0].identifiers' shouldn't contain '*' for an AWS Principal", + "actualValue": "'topic_policy_statements[2].principals[0].identifiers' contains '*' for an AWS Principal", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/sns_topic_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_not_encrypted/test/positive_expected_result.json index 3e178210b87..209d6369ec2 100644 --- a/assets/queries/terraform/aws/sns_topic_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "SNS Topic Not Encrypted", "severity": "HIGH", "line": 3, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_sns_topic", + "resourceName": "user-updates-topic", + "searchKey": "aws_sns_topic[user_updates].kms_master_key_id", + "searchValue": "", + "expectedValue": "SNS Topic should be encrypted", + "actualValue": "SNS Topic is not encrypted", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic Not Encrypted", "severity": "HIGH", "line": 5, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_sns_topic", + "resourceName": "sns_not_ecnrypted", + "searchKey": "aws_sns_topic[test]", + "searchValue": "", + "expectedValue": "SNS Topic should be encrypted", + "actualValue": "SNS Topic is not encrypted", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json index 560428c2142..a0664d91995 100644 --- a/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "SNS Topic Publicity Has Allow and NotAction Simultaneously", "severity": "MEDIUM", "line": 8, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_sns_topic_policy", + "resourceName": "positive2", + "searchKey": "aws_sns_topic_policy[positive2].policy", + "searchValue": "", + "expectedValue": "aws_sns_topic_policy[positive2].policy shouldn't have 'Effect: Allow' and 'NotAction' simultaneously", + "actualValue": "aws_sns_topic_policy[positive2].policy has 'Effect: Allow' and 'NotAction' simultaneously", + "issueType": "IncorrectValue" }, { "queryName": "SNS Topic Publicity Has Allow and NotAction Simultaneously", "severity": "MEDIUM", "line": 12, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "module[s3_bucket].policy shouldn't have 'Effect: Allow' and 'NotAction' simultaneously", + "actualValue": "module[s3_bucket].policy has 'Effect: Allow' and 'NotAction' simultaneously", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json index 9f4fb9ef38f..21a2817587e 100644 --- a/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json @@ -3,102 +3,221 @@ "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-1].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-1].ingress shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-1].ingress opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 26, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-2].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-2].ingress[1] shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-2].ingress[1] opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 39, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-3].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-3].ingress shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-3].ingress opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 60, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-4].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-4].ingress[1] shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-4].ingress[1] opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 73, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-5].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-5].ingress shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-5].ingress opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 87, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-6].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-6].ingress shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-6].ingress opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 101, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-7].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-7].ingress shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-7].ingress opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 17, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 7, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-1] shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group_rule[positive3-1] opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 17, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-2", + "searchKey": "aws_security_group_rule[positive3-2]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-2] shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group_rule[positive3-2] opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 11, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 shouldn't open SQL Analysis Services Port 2383", + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 30, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 shouldn't open SQL Analysis Services Port 2383", + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 49, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 shouldn't open SQL Analysis Services Port 2383", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 63, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 shouldn't open SQL Analysis Services Port 2383", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 82, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 shouldn't open SQL Analysis Services Port 2383", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 96, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 shouldn't open SQL Analysis Services Port 2383", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json b/assets/queries/terraform/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json index 28b216d8473..e0a12fdbdb0 100644 --- a/assets/queries/terraform/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "SQS Policy Allows All Actions", "severity": "HIGH", "line": 8, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_sqs_queue_policy", + "resourceName": "positive2", + "searchKey": "aws_sqs_queue_policy[positive2].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' should not equal '*'", + "actualValue": "'policy.Statement.Action' is equal '*'", + "issueType": "IncorrectValue" }, { "queryName": "SQS Policy Allows All Actions", "severity": "HIGH", "line": 12, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' should not equal '*'", + "actualValue": "'policy.Statement.Action' is equal '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sqs_policy_with_public_access/test/positive_expected_result.json b/assets/queries/terraform/aws/sqs_policy_with_public_access/test/positive_expected_result.json index 6e7fbd9b231..8a1aa0a6191 100755 --- a/assets/queries/terraform/aws/sqs_policy_with_public_access/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sqs_policy_with_public_access/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "aws_sqs_queue_policy", + "resourceName": "test", + "searchKey": "aws_sqs_queue_policy[test].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Principal.AWS' should not equal '*'", + "actualValue": "'policy.Statement.Principal.AWS' is equal '*'", + "issueType": "IncorrectValue" }, { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", - "line": 39 + "line": 39, + "filename": "positive.tf", + "resourceType": "aws_sqs_queue_policy", + "resourceName": "test_aws", + "searchKey": "aws_sqs_queue_policy[test_aws].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Principal.AWS' should not equal '*'", + "actualValue": "'policy.Statement.Principal.AWS' is equal '*'", + "issueType": "IncorrectValue" }, { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", - "line": 64 + "line": 64, + "filename": "positive.tf", + "resourceType": "aws_sqs_queue_policy", + "resourceName": "test_aws_array", + "searchKey": "aws_sqs_queue_policy[test_aws_array].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Principal.AWS' should not equal '*'", + "actualValue": "'policy.Statement.Principal.AWS' is equal '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/sqs_queue_exposed/test/positive_expected_result.json b/assets/queries/terraform/aws/sqs_queue_exposed/test/positive_expected_result.json index f2110c7add2..38424a9c4d1 100644 --- a/assets/queries/terraform/aws/sqs_queue_exposed/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sqs_queue_exposed/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "SQS Queue Exposed", "severity": "HIGH", "line": 4, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "examplequeue", + "searchKey": "aws_sqs_queue[positive1].policy", + "searchValue": "", + "expectedValue": "resource.aws_sqs_queue[positive1].policy.Principal shouldn't get the queue publicly accessible", + "actualValue": "resource.aws_sqs_queue[positive1].policy.Principal does get the queue publicly accessible", + "issueType": "IncorrectValue" }, { "queryName": "SQS Queue Exposed", "severity": "HIGH", "line": 12, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[user_queue]", + "searchValue": "", + "expectedValue": "'policy.Principal' shouldn't get the queue publicly accessible", + "actualValue": "'policy.Principal' does get the queue publicly accessible", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/test/positive_expected_result.json b/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/test/positive_expected_result.json index eb09d54acff..bd836142a60 100644 --- a/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "SQS VPC Endpoint Without DNS Resolution", "severity": "LOW", "line": 95, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_vpc_endpoint", + "resourceName": "sqs-vpc-endpoint", + "searchKey": "aws_vpc_endpoint[sqs-vpc-endpoint].vpc_id", + "searchValue": "", + "expectedValue": "'enable_dns_support' should be set to true or undefined", + "actualValue": "'enable_dns_support' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "SQS VPC Endpoint Without DNS Resolution", "severity": "LOW", "line": 13, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vpc].enable_dns_support", + "searchValue": "", + "expectedValue": "'enable_dns_support' should be set to true or undefined", + "actualValue": "'enable_dns_support' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sqs_with_sse_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/sqs_with_sse_disabled/test/positive_expected_result.json index b83429dea8f..f11c2b152fa 100644 --- a/assets/queries/terraform/aws/sqs_with_sse_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sqs_with_sse_disabled/test/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "terraform-example-queue", + "searchKey": "aws_sqs_queue[positive1]", + "searchValue": "", + "expectedValue": "aws_sqs_queue[positive1].kms_master_key_id or aws_sqs_queue[positive1].sqs_managed_sse_enabled should be defined and not null", + "actualValue": "aws_sqs_queue[positive1].kms_master_key_id and aws_sqs_queue[positive1].sqs_managed_sse_enabled are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "terraform-example-queue", + "searchKey": "aws_sqs_queue[positive2].kms_master_key_id", + "searchValue": "", + "expectedValue": "aws_sqs_queue.kms_master_key_id should not be ''", + "actualValue": "aws_sqs_queue.kms_master_key_id is ''", + "issueType": "IncorrectValue" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "terraform-example-queue", + "searchKey": "aws_sqs_queue[positive3]", + "searchValue": "", + "expectedValue": "aws_sqs_queue[positive3].kms_master_key_id or aws_sqs_queue[positive3].sqs_managed_sse_enabled should be defined and not null", + "actualValue": "aws_sqs_queue[positive3].kms_master_key_id and aws_sqs_queue[positive3].sqs_managed_sse_enabled are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[user_queue]", + "searchValue": "", + "expectedValue": "'kms_master_key_id' should be defined and not null", + "actualValue": "'kms_master_key_id' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 12, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[user_queue]", + "searchValue": "", + "expectedValue": "'kms_master_key_id' should not be empty", + "actualValue": "'kms_master_key_id' is empty", + "issueType": "IncorrectValue" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[user_queue]", + "searchValue": "", + "expectedValue": "'kms_master_key_id' should be defined and not null", + "actualValue": "'kms_master_key_id' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 3, - "fileName": "positive7.tf" + "filename": "positive7.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "terraform-example-queue", + "searchKey": "aws_sqs_queue[positive7].sqs_managed_sse_enabled", + "searchValue": "", + "expectedValue": "aws_sqs_queue[positive7].sqs_managed_sse_enabled must be set to true", + "actualValue": "aws_sqs_queue[positive7].sqs_managed_sse_enabled is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/test/positive_expected_result.json index f7a3c9b578d..8cd845897c7 100644 --- a/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "SSM Session Transit Encryption Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_ssm_document", + "resourceName": "test_document", + "searchKey": "aws_ssm_document[positive1].content", + "searchValue": "", + "expectedValue": "'inputs' should be defined and not null", + "actualValue": "'inputs' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SSM Session Transit Encryption Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_ssm_document", + "resourceName": "test_document", + "searchKey": "aws_ssm_document[positive2].content", + "searchValue": "", + "expectedValue": "'inputs.kmsKeyId' should be defined and not null", + "actualValue": "'inputs.kmsKeyId' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/test/positive_expected_result.json b/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/test/positive_expected_result.json index 2cf5ed333b9..54a98554328 100644 --- a/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "SSO Permission With Inadequate User Session Duration", "severity": "LOW", "line": 6, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_ssoadmin_permission_set_inline_policy", + "resourceName": "Example", + "searchKey": "aws_ssoadmin_permission_set[example3].session_duration", + "searchValue": "", + "expectedValue": "session_duration should not be higher than 1 hour", + "actualValue": "session_duration is higher than 1 hour", + "issueType": "IncorrectValue" }, { "queryName": "SSO Permission With Inadequate User Session Duration", "severity": "LOW", "line": 14, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_ssoadmin_permission_set_inline_policy", + "resourceName": "Example", + "searchKey": "aws_ssoadmin_permission_set[example4].session_duration", + "searchValue": "", + "expectedValue": "session_duration should not be higher than 1 hour", + "actualValue": "session_duration is higher than 1 hour", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sso_policy_with_full_priveleges/test/positive_expected_result.json b/assets/queries/terraform/aws/sso_policy_with_full_priveleges/test/positive_expected_result.json index 664f7349db6..35e4b065118 100644 --- a/assets/queries/terraform/aws/sso_policy_with_full_priveleges/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sso_policy_with_full_priveleges/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "SSO Policy with full privileges", "severity": "MEDIUM", "line": 4, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_ssoadmin_permission_set_inline_policy", + "resourceName": "pos1", + "searchKey": "aws_ssoadmin_permission_set_inline_policy[pos1].inline_policy", + "searchValue": "", + "expectedValue": "inline_policy.Statement.Action should not equal to, nor contain '*'", + "actualValue": "inline_policy.Statement.Action is equal to or contains '*'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sso_policy_with_full_priveleges_copy/test/positive_expected_result.json b/assets/queries/terraform/aws/sso_policy_with_full_priveleges_copy/test/positive_expected_result.json index 68cd68bf846..219a84dc70c 100644 --- a/assets/queries/terraform/aws/sso_policy_with_full_priveleges_copy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sso_policy_with_full_priveleges_copy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "SSO Identity User Unsafe Creation", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "aws_identitystore_user", + "resourceName": "", + "searchKey": "aws_identitystore_user[example]", + "searchValue": "", + "expectedValue": "aws_identitystore_user resource should not be used", + "actualValue": "aws_identitystore_user resource is used", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/stack_notifications_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/stack_notifications_disabled/test/positive_expected_result.json index 43f3b791e09..c62f8cc14b5 100644 --- a/assets/queries/terraform/aws/stack_notifications_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/stack_notifications_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Stack Notifications Disabled", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_cloudformation_stack", + "resourceName": "networking-stack", + "searchKey": "aws_cloudformation_stack[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'notification_arns' should be set", + "actualValue": "Attribute 'notification_arns' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/stack_retention_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/stack_retention_disabled/test/positive_expected_result.json index 7a4a46d716e..296ef5c45eb 100644 --- a/assets/queries/terraform/aws/stack_retention_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/stack_retention_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_cloudformation_stack_set_instance", + "resourceName": "positive1", + "searchKey": "aws_cloudformation_stack_set_instance[positive1].retain_stack", + "searchValue": "", + "expectedValue": "aws_cloudformation_stack_set_instance[positive1].retain_stack should be true ", + "actualValue": "aws_cloudformation_stack_set_instance[positive1].retain_stack is false", + "issueType": "IncorrectValue" }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "aws_cloudformation_stack_set_instance", + "resourceName": "positive2", + "searchKey": "aws_cloudformation_stack_set_instance[positive2]", + "searchValue": "", + "expectedValue": "aws_cloudformation_stack_set_instance[positive2].retain_stack should be defined and not null", + "actualValue": "aws_cloudformation_stack_set_instance[positive2].retain_stack is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/stack_without_template/test/positive_expected_result.json b/assets/queries/terraform/aws/stack_without_template/test/positive_expected_result.json index eb17c05fc24..24e635897bd 100644 --- a/assets/queries/terraform/aws/stack_without_template/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/stack_without_template/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Stack Without Template", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_cloudformation_stack", + "resourceName": "networking-stack", + "searchKey": "aws_cloudformation_stack[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'template_body' or Attribute 'template_url' should be set", + "actualValue": "Both Attribute 'template_body' and Attribute 'template_url' are undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json b/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json index db60b61449e..2e9c6c6fc49 100644 --- a/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json @@ -1,38 +1,80 @@ [ - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 8, - "fileName": "positive1.tf" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 11, - "fileName": "positive3.tf" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 1, - "fileName": "positive4.tf" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 9, - "fileName": "positive5.tf" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 1, - "fileName": "positive6.tf" - } -] \ No newline at end of file + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 8, + "filename": "positive1.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "example", + "searchKey": "aws_rds_cluster[example].copy_tags_to_snapshot", + "searchValue": "", + "expectedValue": "'aws_rds_cluster[example].copy_tags_to_snapshot' should be set to true", + "actualValue": "'aws_rds_cluster[example].copy_tags_to_snapshot' is set to false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 1, + "filename": "positive2.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "example", + "searchKey": "aws_rds_cluster[example]", + "searchValue": "", + "expectedValue": "'aws_rds_cluster[example].copy_tags_to_snapshot' should be defined to true", + "actualValue": "'aws_rds_cluster[example].copy_tags_to_snapshot' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 11, + "filename": "positive3.tf", + "resourceType": "aws_db_instance", + "resourceName": "example", + "searchKey": "aws_db_instance[example].copy_tags_to_snapshot", + "searchValue": "", + "expectedValue": "'aws_db_instance[example].copy_tags_to_snapshot' should be set to true", + "actualValue": "'aws_db_instance[example].copy_tags_to_snapshot' is set to false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 1, + "filename": "positive4.tf", + "resourceType": "aws_db_instance", + "resourceName": "example", + "searchKey": "aws_db_instance[example]", + "searchValue": "", + "expectedValue": "'aws_db_instance[example].copy_tags_to_snapshot' should be defined to true", + "actualValue": "'aws_db_instance[example].copy_tags_to_snapshot' is not defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 9, + "filename": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[rds_cluster].copy_tags_to_snapshot", + "searchValue": "", + "expectedValue": "'module[rds_cluster].copy_tags_to_snapshot' should be set to true", + "actualValue": "'module[rds_cluster].copy_tags_to_snapshot' is set to false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 1, + "filename": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[rds_cluster]", + "searchValue": "", + "expectedValue": "'module[rds_cluster].copy_tags_to_snapshot' should be defined to true", + "actualValue": "'module[rds_cluster].copy_tags_to_snapshot' is not defined", + "issueType": "MissingAttribute" + } +] diff --git a/assets/queries/terraform/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json b/assets/queries/terraform/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json index cf294ab2f7e..9540a361c90 100644 --- a/assets/queries/terraform/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json @@ -3,102 +3,221 @@ "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-1].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-1].ingress ports are known", + "actualValue": "aws_security_group[positive1-1].ingress ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 26, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-2].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-2].ingress[1] ports are known", + "actualValue": "aws_security_group[positive1-2].ingress[1] ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 39, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-3].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-3].ingress ports are known", + "actualValue": "aws_security_group[positive1-3].ingress ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 60, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-4].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-4].ingress[1] ports are known", + "actualValue": "aws_security_group[positive1-4].ingress[1] ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 73, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-5].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-5].ingress ports are known", + "actualValue": "aws_security_group[positive1-5].ingress ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 87, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-6].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-6].ingress ports are known", + "actualValue": "aws_security_group[positive1-6].ingress ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 101, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-7].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-7].ingress ports are known", + "actualValue": "aws_security_group[positive1-7].ingress ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 7, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] ports are known", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 17, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] ports are known", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 7, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-1] ports are known", + "actualValue": "aws_security_group_rule[positive3-1] ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 17, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-2", + "searchKey": "aws_security_group_rule[positive3-2]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-2] ports are known", + "actualValue": "aws_security_group_rule[positive3-2] ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 11, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 ports are known", + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 30, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 ports are known", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 44, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 ports are known", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 63, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 ports are known", + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 82, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 ports are known", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 96, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 ports are known", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive_expected_result.json b/assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive_expected_result.json index 7dd42051ddc..eacceb00f18 100644 --- a/assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive_expected_result.json @@ -3,108 +3,234 @@ "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 6, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-ipv4", + "searchKey": "aws_security_group[positive1-ipv4].ingress.cidr_blocks", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-ipv4].ingress.cidr_blocks should not contain '0.0.0.0/0'", + "actualValue": "aws_security_group[positive1-ipv4].ingress.cidr_blocks contains '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 16, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-ipv6", + "searchKey": "aws_security_group[positive1-ipv6].ingress.ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-ipv6].ingress.ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "aws_security_group[positive1-ipv6].ingress.ipv6_cidr_blocks contains '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 33, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-ipv4_array", + "searchKey": "aws_security_group[positive1-ipv4_array].ingress[1].cidr_blocks", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-ipv4_array].ingress[1].cidr_blocks should not contain '0.0.0.0/0'", + "actualValue": "aws_security_group[positive1-ipv4_array].ingress[1].cidr_blocks contains '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 49, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-ipv6_array", + "searchKey": "aws_security_group[positive1-ipv6_array].ingress[1].ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-ipv6_array].ingress[1].ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "aws_security_group[positive1-ipv6_array].ingress[1].ipv6_cidr_blocks contains '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 6, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-ipv4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-ipv4].cidr_ipv4", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-ipv4].cidr_ipv4 should not be equal to '0.0.0.0/0'", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-ipv4].cidr_ipv4 is equal to '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 15, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-ipv6_1].cidr_ipv6", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-ipv6_1].cidr_ipv6 should not be equal to '::/0'", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-ipv6_1].cidr_ipv6 is equal to '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 24, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-ipv6_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-ipv6_2].cidr_ipv6", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-ipv6_2].cidr_ipv6 should not be equal to '0000:0000:0000:0000:0000:0000:0000:0000/0'", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-ipv6_2].cidr_ipv6 is equal to '0000:0000:0000:0000:0000:0000:0000:0000/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 6, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-ipv4", + "searchKey": "aws_security_group_rule[positive3-ipv4].cidr_blocks", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-ipv4].cidr_blocks' should not contain '0.0.0.0/0'", + "actualValue": "aws_security_group_rule[positive3-ipv4].cidr_blocks' contains '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 15, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-ipv6_1", + "searchKey": "aws_security_group_rule[positive3-ipv6_1].ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-ipv6_1].ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "aws_security_group_rule[positive3-ipv6_1].ipv6_cidr_blocks contains '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 24, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-ipv6_2", + "searchKey": "aws_security_group_rule[positive3-ipv6_2].ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-ipv6_2].ipv6_cidr_blocks should not contain '0:0:0:0:0:0:0:0/0'", + "actualValue": "aws_security_group_rule[positive3-ipv6_2].ipv6_cidr_blocks contains '0:0:0:0:0:0:0:0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 4, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-ipv4].ingress_cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-ipv4].ingress_cidr_blocks should not contain '0.0.0.0/0'", + "actualValue": "module[positive4-ipv4].ingress_cidr_blocks contains '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 10, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-ipv4_array].ingress_cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-ipv4_array].ingress_cidr_blocks should not contain '0.0.0.0/0'", + "actualValue": "module[positive4-ipv4_array].ingress_cidr_blocks contains '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 16, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-ipv6].ingress_ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-ipv6].ingress_ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "module[positive4-ipv6].ingress_ipv6_cidr_blocks contains '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 22, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-ipv6_array].ingress_ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-ipv6_array].ingress_ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "module[positive4-ipv6_array].ingress_ipv6_cidr_blocks contains '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 34, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[0].cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[0].cidr_blocks should not contain '0.0.0.0/0'", + "actualValue": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[0].cidr_blocks contains '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 48, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[2].cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[2].cidr_blocks should not contain '0.0.0.0/0'", + "actualValue": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[2].cidr_blocks contains '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 58, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[0].ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[0].ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[0].ipv6_cidr_blocks contains '::/0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 72, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[2].ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[2].ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[2].ipv6_cidr_blocks contains '::/0'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/unscanned_ecr_image/test/positive_expected_result.json b/assets/queries/terraform/aws/unscanned_ecr_image/test/positive_expected_result.json index 7b15042be08..b459d3636b5 100644 --- a/assets/queries/terraform/aws/unscanned_ecr_image/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/unscanned_ecr_image/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Unscanned ECR Image", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "img_p_2", + "searchKey": "aws_ecr_repository[positive1]", + "searchValue": "", + "expectedValue": "aws_ecr_repository[positive1].image_scanning_configuration should be defined", + "actualValue": "aws_ecr_repository[positive1].image_scanning_configuration is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Unscanned ECR Image", "severity": "LOW", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "img_p_1", + "searchKey": "aws_ecr_repository[positive2].image_scanning_configuration.scan_on_push", + "searchValue": "", + "expectedValue": "aws_ecr_repository[positive2].image_scanning_configuration.scan_on_push is true", + "actualValue": "aws_ecr_repository[positive2].image_scanning_configuration.scan_on_push is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json b/assets/queries/terraform/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json index fed5ff19d06..0d75a3a47d6 100644 --- a/assets/queries/terraform/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "User Data Contains Encoded Private Key", "severity": "HIGH", "line": 5, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_launch_configuration", + "resourceName": "positive1", + "searchKey": "aws_launch_configuration[positive1].user_data_base64", + "searchValue": "", + "expectedValue": "aws_launch_configuration[positive1].user_data_base64 shouldn't contain RSA Private Key", + "actualValue": "aws_launch_configuration[positive1].user_data_base64 contains RSA Private Key", + "issueType": "IncorrectValue" }, { "queryName": "User Data Contains Encoded Private Key", "severity": "HIGH", "line": 11, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive2].user_data_base64", + "searchValue": "", + "expectedValue": "'user_data_base64' shouldn't contain RSA Private Key", + "actualValue": "'user_data_base64' contains RSA Private Key", + "issueType": "IncorrectValue" }, { "queryName": "User Data Contains Encoded Private Key", "severity": "HIGH", "line": 11, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive3].user_data_base64", + "searchValue": "", + "expectedValue": "'user_data_base64' shouldn't contain RSA Private Key", + "actualValue": "'user_data_base64' contains RSA Private Key", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json index a5187a85df5..775f3a36689 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json index fadf1f82e70..895fbe56621 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "User With Privilege Escalation By Actions 'iam:AddUserToGroup'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic should not be associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json index cc364849975..a276e8a00f6 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json index f13a564510c..03bf5b03d6b 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "User With Privilege Escalation By Actions 'iam:AttachRolePolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json index cfa007e434e..babf50a738f 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "User With Privilege Escalation By Actions 'iam:AttachUserPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json index 91f4cdc0430..6878918ca5d 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "User With Privilege Escalation By Actions 'iam:CreateAccessKey'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json index 143dfff1de7..e8ae7279fa6 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "User With Privilege Escalation By Actions 'iam:CreateLoginProfile'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json index b352f43641b..e3067651e6f 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json index 879bd188148..125cd680b5d 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json index 0c13f4076a7..5f82e7abef2 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json index 1a3d09d345f..97de3fa3a19 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json index 4cee4fa0fd8..e593e3320d3 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json index a91dbda2cc9..d0805e13daa 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "User With Privilege Escalation By Actions 'iam:PutGroupPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic should not be associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json index 8b92368e2b1..569d2314d18 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "User With Privilege Escalation By Actions 'iam:PutRolePolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic should not be associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json index 77d75f77411..0fc79e327b2 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "User With Privilege Escalation By Actions 'iam:PutUserPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic should not be associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json index 2f7cf644813..ff7a393c774 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json index 89f59bd7941..9323b323d47 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json index f7792753ab7..3b80234df31 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json index 86b7d699b34..40b21e493c9 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/test/positive_expected_result.json index 01328bc7e3e..f7aef4ff73d 100644 --- a/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "VPC Default Security Group Accepts All Traffic", "severity": "HIGH", "line": 8, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_default_security_group", + "resourceName": "default", + "searchKey": "aws_default_security_group[{{default}}].ingress", + "searchValue": "", + "expectedValue": "aws_default_security_group[{{default}}] should not have 'ingress' defined", + "actualValue": "aws_default_security_group[{{default}}] has 'ingress' defined", + "issueType": "IncorrectValue" }, { "queryName": "VPC Default Security Group Accepts All Traffic", "severity": "HIGH", "line": 17, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_default_security_group", + "resourceName": "default", + "searchKey": "aws_default_security_group[{{default}}].egress", + "searchValue": "", + "expectedValue": "aws_default_security_group[{{default}}] should not have 'egress' defined", + "actualValue": "aws_default_security_group[{{default}}] has 'egress' defined", + "issueType": "IncorrectValue" }, { "queryName": "VPC Default Security Group Accepts All Traffic", "severity": "HIGH", "line": 8, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_default_security_group", + "resourceName": "default3", + "searchKey": "aws_default_security_group[{{default3}}].ingress", + "searchValue": "", + "expectedValue": "aws_default_security_group[{{default3}}] should not have 'ingress' defined", + "actualValue": "aws_default_security_group[{{default3}}] has 'ingress' defined", + "issueType": "IncorrectValue" }, { "queryName": "VPC Default Security Group Accepts All Traffic", "severity": "HIGH", - "line": 18, - "fileName": "positive2.tf" + "line": 14, + "filename": "positive2.tf", + "resourceType": "aws_default_security_group", + "resourceName": "default3", + "searchKey": "aws_default_security_group[{{default3}}].ingress.ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "'ingress' should be undefined", + "actualValue": "'ingress' accepts all traffic", + "issueType": "IncorrectValue" }, { "queryName": "VPC Default Security Group Accepts All Traffic", "severity": "HIGH", - "line": 14, - "fileName": "positive2.tf" + "line": 18, + "filename": "positive2.tf", + "resourceType": "aws_default_security_group", + "resourceName": "default3", + "searchKey": "aws_default_security_group[{{default3}}].egress", + "searchValue": "", + "expectedValue": "aws_default_security_group[{{default3}}] should not have 'egress' defined", + "actualValue": "aws_default_security_group[{{default3}}] has 'egress' defined", + "issueType": "IncorrectValue" }, { "queryName": "VPC Default Security Group Accepts All Traffic", "severity": "HIGH", "line": 23, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_default_security_group", + "resourceName": "default3", + "searchKey": "aws_default_security_group[{{default3}}].egress.cidr_blocks", + "searchValue": "", + "expectedValue": "'egress' should be undefined", + "actualValue": "'egress' accepts all traffic", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/vpc_flowlogs_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_flowlogs_disabled/test/positive_expected_result.json index 3785d8deeae..1c31e190d77 100644 --- a/assets/queries/terraform/aws/vpc_flowlogs_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_flowlogs_disabled/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "VPC FlowLogs Disabled", "severity": "MEDIUM", "line": 5, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_flow_log", + "resourceName": "example", + "searchKey": "aws_flow_log[example]", + "searchValue": "", + "expectedValue": "aws_flow_log[example].vpc_id should be defined and not null", + "actualValue": "aws_flow_log[example].vpc_id is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "VPC FlowLogs Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_vpc", + "resourceName": "main", + "searchKey": "aws_vpc[main]", + "searchValue": "", + "expectedValue": "aws_vpc[main] should be the same as Flow Logs VPC id", + "actualValue": "aws_vpc[main] is not the same as Flow Logs VPC id", + "issueType": "IncorrectValue" }, { "queryName": "VPC FlowLogs Disabled", "severity": "MEDIUM", "line": 14, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "vpc.enable_flow_log", + "searchValue": "", + "expectedValue": "vpc.enable_flow_log should be set to true", + "actualValue": "vpc.enable_flow_log is set to false", + "issueType": "IncorrectValue" }, { "queryName": "VPC FlowLogs Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "vpc", + "searchValue": "", + "expectedValue": "vpc.enable_flow_log should be set to true", + "actualValue": "vpc.enable_flow_log is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive_expected_result.json index ba50c0dd7dd..de791251567 100644 --- a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "VPC Peering Route Table with Unrestricted CIDR", "severity": "HIGH", "line": 118, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_route", + "resourceName": "public_route_table", + "searchKey": "aws_route_table[public_route_table].route", + "searchValue": "", + "expectedValue": "aws_route_table[public_route_table].route restricts CIDR", + "actualValue": "aws_route_table[public_route_table].route does not restrict CIDR", + "issueType": "IncorrectValue" }, { "queryName": "VPC Peering Route Table with Unrestricted CIDR", "severity": "HIGH", "line": 132, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_route", + "resourceName": "private_route2", + "searchKey": "aws_route[private_route2]", + "searchValue": "", + "expectedValue": "aws_route[private_route2] restricts CIDR", + "actualValue": "aws_route[private_route2] does not restrict CIDR", + "issueType": "IncorrectValue" }, { "queryName": "VPC Peering Route Table with Unrestricted CIDR", "severity": "HIGH", "line": 118, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "aws_route", + "resourceName": "public_route_table", + "searchKey": "aws_route_table[public_route_table].route", + "searchValue": "", + "expectedValue": "aws_route_table[public_route_table].route restricts CIDR", + "actualValue": "aws_route_table[public_route_table].route does not restrict CIDR", + "issueType": "IncorrectValue" }, { "queryName": "VPC Peering Route Table with Unrestricted CIDR", "severity": "HIGH", "line": 9, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_route", + "resourceName": "art_nat_gw_out", + "searchKey": "aws_route_table[art_nat_gw_out].route", + "searchValue": "", + "expectedValue": "aws_route_table[art_nat_gw_out].route restricts CIDR", + "actualValue": "aws_route_table[art_nat_gw_out].route does not restrict CIDR", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/test/positive_expected_result.json index a34fb706958..72b85dd60f1 100644 --- a/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "VPC Subnet Assigns Public IP", "severity": "MEDIUM", "line": 13, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_subnet", + "resourceName": "Positive", + "searchKey": "aws_subnet[positive].map_public_ip_on_launch", + "searchValue": "", + "expectedValue": "aws_subnet[positive].map_public_ip_on_launch should be set to false or undefined", + "actualValue": "aws_subnet[positive].map_public_ip_on_launch is set to true", + "issueType": "IncorrectValue" }, { "queryName": "VPC Subnet Assigns Public IP", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "vpc.map_public_ip_on_launch", + "searchValue": "", + "expectedValue": "vpc.map_public_ip_on_launch should be set to false", + "actualValue": "vpc.map_public_ip_on_launch is set to true", + "issueType": "IncorrectValue" }, { "queryName": "VPC Subnet Assigns Public IP", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "vpc", + "searchValue": "", + "expectedValue": "vpc.map_public_ip_on_launch should be set to false", + "actualValue": "vpc.map_public_ip_on_launch is set undefined", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws/vpc_without_network_firewall/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_without_network_firewall/test/positive_expected_result.json index 6894110f441..71bbb147dbb 100644 --- a/assets/queries/terraform/aws/vpc_without_network_firewall/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_without_network_firewall/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "VPC Without Network Firewall", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "aws_vpc", + "resourceName": "positive", + "searchKey": "aws_vpc[positive]", + "searchValue": "", + "expectedValue": "aws_vpc[positive] has an 'aws_networkfirewall_firewall' associated", + "actualValue": "aws_vpc[positive] does not have an 'aws_networkfirewall_firewall' associated", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json b/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json index 4c65ef315d2..624ecf9f3ec 100644 --- a/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json @@ -2,21 +2,53 @@ { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive2", + "searchKey": "aws_cloudfront_distribution[positive2]", + "searchValue": "", + "expectedValue": "aws_cloudfront_distribution[positive2].viewer_certificate should be defined and not null", + "actualValue": "aws_cloudfront_distribution[positive2].viewer_certificate is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 88 + "line": 88, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive3", + "searchKey": "aws_cloudfront_distribution[positive3].viewer_certificate", + "searchValue": "cloudfront_default_certificate", + "expectedValue": "Attribute 'cloudfront_default_certificate' should be 'false' or not defined", + "actualValue": "Attribute 'cloudfront_default_certificate' is 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive4", + "searchKey": "aws_cloudfront_distribution[positive4].viewer_certificate", + "searchValue": "minimum_protocol_version", + "expectedValue": "Attributes 'ssl_support_method' and 'minimum_protocol_version' should be defined when one of 'acm_certificate_arn' or 'iam_certificate_id' is declared.", + "actualValue": "Attribute 'minimum_protocol_version' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive4", + "searchKey": "aws_cloudfront_distribution[positive4].viewer_certificate", + "searchValue": "ssl_support_method", + "expectedValue": "Attributes 'ssl_support_method' and 'minimum_protocol_version' should be defined when one of 'acm_certificate_arn' or 'iam_certificate_id' is declared.", + "actualValue": "Attribute 'ssl_support_method' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/test/positive_expected_result.json index 73ed7cba6aa..6777429dc42 100644 --- a/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Workspaces Workspace Volume Not Encrypted", "severity": "HIGH", "line": 11, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_workspaces_workspace", + "resourceName": "example", + "searchKey": "aws_workspaces_workspace[{{example}}].workspace_properties.user_volume_size_gib", + "searchValue": "", + "expectedValue": "aws_workspaces_workspace.user_volume_encryption_enabled should be set to true", + "actualValue": "aws_workspaces_workspace.user_volume_encryption_enabled is missing", + "issueType": "MissingAttribute" }, { "queryName": "Workspaces Workspace Volume Not Encrypted", "severity": "HIGH", "line": 12, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "aws_workspaces_workspace", + "resourceName": "example_2", + "searchKey": "aws_workspaces_workspace[{{example_2}}].workspace_properties.root_volume_size_gib", + "searchValue": "", + "expectedValue": "aws_workspaces_workspace.root_volume_encryption_enabled should be set to true", + "actualValue": "aws_workspaces_workspace.root_volume_encryption_enabled is missing", + "issueType": "MissingAttribute" }, { "queryName": "Workspaces Workspace Volume Not Encrypted", "severity": "HIGH", - "line": 11, - "filename": "positive3.tf" + "line": 10, + "filename": "positive3.tf", + "resourceType": "aws_workspaces_workspace", + "resourceName": "example_3", + "searchKey": "aws_workspaces_workspace[{{example_3}}].workspace_properties.user_volume_size_gib", + "searchValue": "", + "expectedValue": "aws_workspaces_workspace.user_volume_encryption_enabled should be set to true", + "actualValue": "aws_workspaces_workspace.user_volume_encryption_enabled is missing", + "issueType": "MissingAttribute" }, { "queryName": "Workspaces Workspace Volume Not Encrypted", "severity": "HIGH", - "line": 10, - "filename": "positive3.tf" + "line": 11, + "filename": "positive3.tf", + "resourceType": "aws_workspaces_workspace", + "resourceName": "example_3", + "searchKey": "aws_workspaces_workspace[{{example_3}}].workspace_properties.root_volume_size_gib", + "searchValue": "", + "expectedValue": "aws_workspaces_workspace.root_volume_encryption_enabled should be set to true", + "actualValue": "aws_workspaces_workspace.root_volume_encryption_enabled is missing", + "issueType": "MissingAttribute" }, { "queryName": "Workspaces Workspace Volume Not Encrypted", "severity": "HIGH", "line": 6, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_workspaces_workspace", + "resourceName": "example_4", + "searchKey": "aws_workspaces_workspace[{{example_4}}].root_volume_encryption_enabled", + "searchValue": "", + "expectedValue": "aws_workspaces_workspace.root_volume_encryption_enabled should be set to true", + "actualValue": "aws_workspaces_workspace.root_volume_encryption_enabled is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Workspaces Workspace Volume Not Encrypted", "severity": "HIGH", "line": 7, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "aws_workspaces_workspace", + "resourceName": "example_4", + "searchKey": "aws_workspaces_workspace[{{example_4}}].user_volume_encryption_enabled", + "searchValue": "", + "expectedValue": "aws_workspaces_workspace.user_volume_encryption_enabled should be set to true", + "actualValue": "aws_workspaces_workspace.user_volume_encryption_enabled is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/aws_bom/dynamo/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/dynamo/test/positive_expected_result.json index a7df71f21cb..b4a972c090f 100644 --- a/assets/queries/terraform/aws_bom/dynamo/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/dynamo/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 21, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_dynamodb_table[basic-dynamodb-table]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 21, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_dynamodb_table[example2-table]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 21, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_dynamodb_table[example3-table]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_dynamodb_table[example3-table]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/terraform/aws_bom/ebs/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/ebs/test/positive_expected_result.json index d8e95f01d7b..17737b89b39 100644 --- a/assets/queries/terraform/aws_bom/ebs/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/ebs/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_ebs_volume[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_ebs_volume[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/terraform/aws_bom/efs/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/efs/test/positive_expected_result.json index b6420a9e65f..09e622abc00 100644 --- a/assets/queries/terraform/aws_bom/efs/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/efs/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "BOM - AWS EFS", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_efs_file_system[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS EFS", "severity": "TRACE", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_efs_file_system[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/terraform/aws_bom/elasticache/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/elasticache/test/positive_expected_result.json index ef7120ad605..16d7b961897 100644 --- a/assets/queries/terraform/aws_bom/elasticache/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/elasticache/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_elasticache_cluster[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_elasticache_cluster[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 33, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_elasticache_cluster[positive3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 33, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_elasticache_cluster[positive4]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 13, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_elasticache_cluster[positive5]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 13, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_elasticache_cluster[positive6]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/terraform/aws_bom/kinesis/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/kinesis/test/positive_expected_result.json index 8e5a045180d..b21aa2ecbbf 100644 --- a/assets/queries/terraform/aws_bom/kinesis/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/kinesis/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "BOM - AWS Kinesis", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_kinesis_stream[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS Kinesis", "severity": "TRACE", "line": 20, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_kinesis_stream[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/terraform/aws_bom/mq/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/mq/test/positive_expected_result.json index 01fc6d11c02..9b318d28ff4 100644 --- a/assets/queries/terraform/aws_bom/mq/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/mq/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "BOM - AWS MQ", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_mq_broker[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS MQ", "severity": "TRACE", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_mq_broker[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/terraform/aws_bom/msk/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/msk/test/positive_expected_result.json index 7b47467ba0f..63ceed2a643 100644 --- a/assets/queries/terraform/aws_bom/msk/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/msk/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "BOM - AWS MSK", "severity": "TRACE", "line": 84, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_msk_cluster[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS MSK", "severity": "TRACE", "line": 84, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_msk_cluster[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/terraform/aws_bom/rds/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/rds/test/positive_expected_result.json index be834e67aa4..8b60101ff58 100644 --- a/assets/queries/terraform/aws_bom/rds/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/rds/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_rds_cluster_instance[cluster_instances]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 23, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_db_instance[default]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 35, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_db_instance[sample3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/terraform/aws_bom/s3_bucket/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/s3_bucket/test/positive_expected_result.json index f72b42f7543..d8b5bc5e2e3 100644 --- a/assets/queries/terraform/aws_bom/s3_bucket/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/s3_bucket/test/positive_expected_result.json @@ -3,60 +3,130 @@ "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive2.tf" + "filename": "positive10.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive10]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive3.tf" + "filename": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive4.tf" + "filename": "positive3.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive5.tf" + "filename": "positive4.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive4]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive6.tf" + "filename": "positive5.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive5]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive7.tf" + "filename": "positive6.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive6]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive8.tf" + "filename": "positive7.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive7]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive9.tf" + "filename": "positive8.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive8]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive10.tf" + "filename": "positive9.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive9]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/terraform/aws_bom/sns/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/sns/test/positive_expected_result.json index 269154f3820..93bb81c0fe6 100644 --- a/assets/queries/terraform/aws_bom/sns/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/sns/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "BOM - AWS SNS", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sns_topic[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS SNS", "severity": "TRACE", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sns_topic[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS SNS", "severity": "TRACE", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sns_topic[positive3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS SNS", "severity": "TRACE", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sns_topic[positive4]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS SNS", "severity": "TRACE", "line": 1, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sns_topic[positive5]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/terraform/aws_bom/sqs/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/sqs/test/positive_expected_result.json index 442bcc91315..d5e149669c0 100644 --- a/assets/queries/terraform/aws_bom/sqs/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/sqs/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "BOM - AWS SQS", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sqs_queue[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS SQS", "severity": "TRACE", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sqs_queue[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS SQS", "severity": "TRACE", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sqs_queue[positive3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS SQS", "severity": "TRACE", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sqs_queue[positive4]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" }, { "queryName": "BOM - AWS SQS", "severity": "TRACE", "line": 1, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sqs_queue[positive5]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json index 206cee271c3..edf5475dc6c 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update network security group' events but sets 1 filter(s): caller", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update network security group' events but sets 1 filter(s): level", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update network security group' events but sets 1 filter(s): levels", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update network security group' events but sets 1 filter(s): status", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update network security group' events but sets 1 filter(s): statuses", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update network security group' events but sets 1 filter(s): sub_status", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update network security group' events but sets 1 filter(s): sub_statuses", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive3/positive_expected_result.json index ddf3d1cb713..179bf881999 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create or update network security group' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update network security group' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive4/positive_expected_result.json index 834f8a946ff..d92246170f6 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update network security group' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json index 587344375d0..5a203f537d9 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): caller", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): level", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): levels", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): status", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): statuses", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): sub_status", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): sub_statuses", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json index 647418cc170..294deee2ff2 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create or update public ip address rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update public ip address rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json index d2b55122b20..850cd054bf2 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update public ip address rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json index 62976f6c962..44836406ce2 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update security solution' events but sets 1 filter(s): caller", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update security solution' events but sets 1 filter(s): level", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update security solution' events but sets 1 filter(s): levels", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update security solution' events but sets 1 filter(s): status", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update security solution' events but sets 1 filter(s): statuses", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update security solution' events but sets 1 filter(s): sub_status", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update security solution' events but sets 1 filter(s): sub_statuses", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive3/positive_expected_result.json index 5fc27a61d32..c3b20b3b3b5 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create or update security solution' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update security solution' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json index c2d325766f1..469654d3c63 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update security solution' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json index 62edf8ed52e..ec13bb65dee 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): caller", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): level", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): levels", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): status", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): statuses", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): sub_status", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): sub_statuses", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json index 52d093a64fd..cec6fbeb0dc 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create or update SQL server firewall rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update SQL server firewall rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json index 7879a0cfd5d..6d43af35cbf 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update SQL server firewall rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json index 8d4334d067d..666456076c8 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create policy assignment' events but sets 1 filter(s): caller", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create policy assignment' events but sets 1 filter(s): level", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create policy assignment' events but sets 1 filter(s): levels", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create policy assignment' events but sets 1 filter(s): status", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create policy assignment' events but sets 1 filter(s): statuses", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create policy assignment' events but sets 1 filter(s): sub_status", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create policy assignment' events but sets 1 filter(s): sub_statuses", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive3/positive_expected_result.json index 3903474e1c3..b067fab08ae 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create policy assignment' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create policy assignment' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive4/positive_expected_result.json index a5d81846400..b4e9edbdb07 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create policy assignment' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json index 9aa5be053c2..621384b8e21 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete network security group' events but sets 1 filter(s): caller", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete network security group' events but sets 1 filter(s): level", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete network security group' events but sets 1 filter(s): levels", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete network security group' events but sets 1 filter(s): status", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete network security group' events but sets 1 filter(s): statuses", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete network security group' events but sets 1 filter(s): sub_status", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete network security group' events but sets 1 filter(s): sub_statuses", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive3/positive_expected_result.json index 2d4adf5066b..e4b4964176e 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete network security group' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete network security group' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive4/positive_expected_result.json index d9f4a65bc5e..26dff104b80 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete network security group' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json index b72188b5295..636cb17340e 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete policy assignment' events but sets 1 filter(s): caller", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete policy assignment' events but sets 1 filter(s): level", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete policy assignment' events but sets 1 filter(s): levels", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete policy assignment' events but sets 1 filter(s): status", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete policy assignment' events but sets 1 filter(s): statuses", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete policy assignment' events but sets 1 filter(s): sub_status", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete policy assignment' events but sets 1 filter(s): sub_statuses", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json index 1ff51775942..2c5de57b736 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete policy assignment' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete policy assignment' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json index 1d75d906347..9ba78182036 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete policy assignment' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json index db0d5cb17e5..9eaa815c278 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): caller", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): level", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): levels", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): status", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): statuses", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): sub_status", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): sub_statuses", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json index 8f5b85d8d7b..4243047eeac 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete public ip address rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete public ip address rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json index 9e174c03f4d..0b69ffeb281 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete public ip address rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json index 48cd89dddfe..a9f84a5dc33 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete security solution' events but sets 1 filter(s): caller", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete security solution' events but sets 1 filter(s): level", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete security solution' events but sets 1 filter(s): levels", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete security solution' events but sets 1 filter(s): status", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete security solution' events but sets 1 filter(s): statuses", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete security solution' events but sets 1 filter(s): sub_status", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete security solution' events but sets 1 filter(s): sub_statuses", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json index df7ec6ee0e6..329d18cf11b 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json index 0ec2da06fea..d35f1c8a28d 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json index 07f54508d55..9f01f349459 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): caller", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): level", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): levels", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): status", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): statuses", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): sub_status", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): sub_statuses", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json index c9a4b7e74c6..0a102b1a769 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete SQL server firewall rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete SQL server firewall rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json index 315a11bcbfa..326a5849595 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete SQL server firewall rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive2/positive_expected_result.json index 8e854727ca9..116c34733ec 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive2/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "filename": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "filename": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive3/positive_expected_result.json index 7f2aecf8f06..9fd50727f0d 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "filename": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'ServiceHealth' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "filename": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'ServiceHealth' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive4/positive_expected_result.json index 0063cec5071..9279938a24d 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive4/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 29, - "fileName": "positive4_1.tf" + "filename": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_2]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive5/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive5/positive_expected_result.json index 55b26065a68..6e7e066b1e1 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive5/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive5/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive5_1.tf" + "filename": "positive5_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive5_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive5_1]' resource monitors 'ServiceHealth' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive6/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive6/positive_expected_result.json index 88278bcc16b..3d5f0de3f52 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive6/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive6/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 3, - "fileName": "positive6_1.tf" + "filename": "positive6_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "", + "searchKey": "azurerm_subscription[positive6]", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "There is not a single 'azurerm_monitor_activity_log_alert' resource associated with the 'positive6' subscription", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json index 3947db2a18e..92bb58dac95 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive1_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "None of the 'azurerm_monitor_activity_log_alert' resources monitor 'ServiceHealth' events", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive1_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "None of the 'azurerm_monitor_activity_log_alert' resources monitor 'ServiceHealth' events", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json b/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json index 8ef8308aeee..b7ab0c856ef 100644 --- a/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "AD Admin Not Configured For SQL Server", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive.tf", + "resourceType": "azurerm_sql_server", + "resourceName": "mysqlserver1", + "searchKey": "azurerm_sql_server[positive2]", + "searchValue": "", + "expectedValue": "A 'azurerm_sql_active_directory_administrator' should be defined for 'azurerm_sql_server[positive2]'", + "actualValue": "A 'azurerm_sql_active_directory_administrator' is not defined for 'azurerm_sql_server[positive2]'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json b/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json index 2c7d9931142..fadcebc561b 100644 --- a/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Admin User Enabled For Container Registry", "severity": "MEDIUM", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "azurerm_container_registry", + "resourceName": "containerRegistry1", + "searchKey": "azurerm_container_registry[positive2].admin_enabled", + "searchValue": "", + "expectedValue": "'admin_enabled' equal 'false'", + "actualValue": "'admin_enabled' equal 'true'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/test/positive_expected_result.json index 05ecb80f66a..e4448d1b44e 100644 --- a/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "AKS Disk Encryption Set ID Undefined", "severity": "LOW", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive]", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive].disk_encryption_set_id' should be defined and not null", + "actualValue": "'azurerm_kubernetes_cluster[positive].disk_encryption_set_id' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/aks_network_policy_misconfigured/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_network_policy_misconfigured/test/positive_expected_result.json index 7006cce495b..222a3c6eb23 100644 --- a/assets/queries/terraform/azure/aks_network_policy_misconfigured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_network_policy_misconfigured/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "AKS Network Policy Misconfigured", "severity": "LOW", - "line": 21 + "line": 21, + "filename": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive1].network_profile", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive1].network_profile.network_policy' should be set to either 'azure' or 'calico'", + "actualValue": "'azurerm_kubernetes_cluster[positive1].network_profile.network_policy' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Network Policy Misconfigured", "severity": "LOW", - "line": 26 + "line": 26, + "filename": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks2", + "searchKey": "azurerm_kubernetes_cluster[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive2].network_profile' should be set", + "actualValue": "'azurerm_kubernetes_cluster[positive2].network_profile' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "AKS Network Policy Misconfigured", "severity": "LOW", - "line": 69 + "line": 69, + "filename": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive3].network_profile.network_policy", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive3].network_profile.network_policy' should be either 'azure' or 'calico'", + "actualValue": "'azurerm_kubernetes_cluster[positive3].network_profile.network_policy' is roxanne", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/aks_private_cluster_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_private_cluster_disabled/test/positive_expected_result.json index 96f56ad6e79..9f0db80f3a8 100644 --- a/assets/queries/terraform/azure/aks_private_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_private_cluster_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "AKS Private Cluster Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive1].private_cluster_enabled", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive1].private_cluster_enabled' should be set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive1].private_cluster_enabled' is set to false", + "issueType": "MissingAttribute" }, { "queryName": "AKS Private Cluster Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive2].private_cluster_enabled' should be defined and set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive2].private_cluster_enabled' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/aks_rbac_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_rbac_disabled/test/positive_expected_result.json index c846921fc48..151d84342ad 100644 --- a/assets/queries/terraform/azure/aks_rbac_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_rbac_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "AKS RBAC Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive1].role_based_access_control_enabled", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive1].role_based_access_control_enabled' should be set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive1].role_based_access_control_enabled' is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "AKS RBAC Disabled", "severity": "MEDIUM", "line": 35, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks2", + "searchKey": "azurerm_kubernetes_cluster[positive2].role_based_access_control.enabled", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive2].role_based_access_control.enabled' should be set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive2].role_based_access_control.enabled' is not set to true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/test/positive_expected_result.json index b2c5b7e2db4..85ef3a4cef6 100644 --- a/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "AKS Uses Azure Policies Add-On Disabled", "severity": "LOW", "line": 11, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "positive1", + "searchKey": "azurerm_kubernetes_cluster[positive1].addon_profile.azure_policy.enabled", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive1].addon_profile.azure_policy.enabled' should be set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive1].addon_profile.azure_policy.enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "AKS Uses Azure Policies Add-On Disabled", "severity": "LOW", "line": 7, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive2].azure_policy_enabled", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive2].azure_policy_enabled' should be set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive2].azure_policy_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "AKS Uses Azure Policies Add-On Disabled", "severity": "LOW", "line": 7, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "positive3", + "searchKey": "azurerm_kubernetes_cluster[positive3].addon_profile", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive3].addon_profile.azure_policy' should be defined and set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive3].addon_profile.azure_policy' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "AKS Uses Azure Policies Add-On Disabled", "severity": "LOW", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive4]", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive4]' should use Azure Policies", + "actualValue": "'azurerm_kubernetes_cluster[positive4]' does not use Azure Policies", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/aks_without_audit_logs/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_without_audit_logs/test/positive_expected_result.json index 2ff2155dcde..e1c5eafb7b3 100644 --- a/assets/queries/terraform/azure/aks_without_audit_logs/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_without_audit_logs/test/positive_expected_result.json @@ -3,54 +3,117 @@ "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_1].enabled_log.category", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_1].enabled_log.category' should be defined to 'kube-audit' or 'kube-audit-admin'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_1].enabled_log.category' is not defined to 'kube-audit' or 'kube-audit-admin'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", "line": 31, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[0].category", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[0].category' should be defined to 'kube-audit' or 'kube-audit-admin'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[0].category' is not defined to 'kube-audit' or 'kube-audit-admin'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", "line": 35, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[1].category", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[1].category' should be defined to 'kube-audit' or 'kube-audit-admin'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[1].category' is not defined to 'kube-audit' or 'kube-audit-admin'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", "line": 15, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_1].log.category", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_1].log.category' should be defined to 'kube-audit' or 'kube-audit-admin' and 'enabled' field set to 'true'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_1].log.category' is not defined to 'kube-audit' or 'kube-audit-admin'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", "line": 33, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[0].category", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[0].category' should be defined to 'kube-audit' or 'kube-audit-admin' and 'enabled' field set to 'true'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[0].category' is not defined to 'kube-audit' or 'kube-audit-admin'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", "line": 38, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[1].category", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[1].category' should be defined to 'kube-audit' or 'kube-audit-admin' and 'enabled' field set to 'true'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[1].category' is not defined to 'kube-audit' or 'kube-audit-admin'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", "line": 16, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_1].log.enabled", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_1]' should enable audit logging through a 'azurerm_monitor_diagnostic_setting'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_1]' has the 'enabled' field set to 'false' instead of 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", "line": 34, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2].log[0].enabled", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' should enable audit logging through a 'azurerm_monitor_diagnostic_setting'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' has the 'enabled' field set to 'false' instead of 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", "line": 39, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2].log[1].enabled", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' should enable audit logging through a 'azurerm_monitor_diagnostic_setting'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' has the 'enabled' field set to 'false' instead of 'true'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/app_service_authentication_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_authentication_disabled/test/positive_expected_result.json index d85adf37378..e513c8a17b0 100644 --- a/assets/queries/terraform/azure/app_service_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_authentication_disabled/test/positive_expected_result.json @@ -3,84 +3,182 @@ "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1].auth_settings' should be defined", + "actualValue": "'azurerm_app_service[positive1].auth_settings' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 17, - "fileName": "positive2.tf" + "line": 8, + "filename": "positive10.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive10].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive10].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_web_app[positive10].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive3.tf" + "line": 9, + "filename": "positive11.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive11].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive11].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_windows_web_app[positive11].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive4.tf" + "line": 11, + "filename": "positive12.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive12].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive12].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_web_app[positive12].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive5.tf" + "line": 9, + "filename": "positive13.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive13].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive13].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_linux_web_app[positive13].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 8, - "fileName": "positive6.tf" + "line": 11, + "filename": "positive14.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive14].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive14].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_linux_web_app[positive14].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive7.tf" + "line": 17, + "filename": "positive2.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "'azurerm_app_service[positive2].auth_settings.enabled'", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive2].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_app_service[positive2].auth_settings.enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive8.tf" + "line": 1, + "filename": "positive3.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive3]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive3].auth_settings' or 'azurerm_linux_web_app[positive3].auth_settings_v2' should be defined", + "actualValue": "'azurerm_linux_web_app[positive3].auth_settings' and 'azurerm_linux_web_app[positive3].auth_settings_v2' are not defined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive9.tf" + "line": 7, + "filename": "positive4.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "'azurerm_linux_web_app[positive4].auth_settings.enabled'", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive4].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_linux_web_app[positive4].auth_settings.enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 8, - "fileName": "positive10.tf" + "line": 6, + "filename": "positive5.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive5].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive5].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_linux_web_app[positive5].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive11.tf" + "line": 8, + "filename": "positive6.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive6].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive6].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_linux_web_app[positive6].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive12.tf" + "line": 1, + "filename": "positive7.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive7]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive7].auth_settings' or 'azurerm_windows_web_app[positive7].auth_settings_v2' should be defined", + "actualValue": "'azurerm_windows_web_app[positive7].auth_settings' and 'azurerm_windows_web_app[positive7].auth_settings_v2' are not defined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive13.tf" + "line": 7, + "filename": "positive8.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "'azurerm_windows_web_app[positive8].auth_settings.enabled'", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive8].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_web_app[positive8].auth_settings.enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive14.tf" + "line": 6, + "filename": "positive9.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive9].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive9].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_windows_web_app[positive9].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/test/positive_expected_result.json index b0b891fa9e1..f4ef242772c 100644 --- a/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "App Service FTPS Enforce Disabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1].site_config.ftps_state", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1].site_config.ftps_state' should not be set to 'AllAllowed'", + "actualValue": "'azurerm_app_service[positive1].site_config.ftps_state' is set to 'AllAllowed'", + "issueType": "IncorrectValue" }, { "queryName": "App Service FTPS Enforce Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "positive2", + "searchKey": "azurerm_linux_web_app[positive2].site_config.ftps_state", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2].site_config.ftps_state' should not be set to 'AllAllowed'", + "actualValue": "'azurerm_linux_web_app[positive2].site_config.ftps_state' is set to 'AllAllowed'", + "issueType": "IncorrectValue" }, { "queryName": "App Service FTPS Enforce Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "positive3", + "searchKey": "azurerm_windows_web_app[positive3].site_config.ftps_state", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3].site_config.ftps_state' should not be set to 'AllAllowed'", + "actualValue": "'azurerm_windows_web_app[positive3].site_config.ftps_state' is set to 'AllAllowed'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/app_service_http2_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_http2_disabled/test/positive_expected_result.json index bd6cfd298dd..ae1c2ac6f54 100644 --- a/assets/queries/terraform/azure/app_service_http2_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_http2_disabled/test/positive_expected_result.json @@ -3,54 +3,117 @@ "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1].site_config' should be defined and not null", + "actualValue": "'azurerm_app_service[positive1].site_config' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 17, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive2].site_config", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive2].site_config.http2_enabled' should be defined and not null", + "actualValue": "'azurerm_app_service[positive2].site_config.http2_enabled' is undefined or null", + "issueType": "IncorrectValue" }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 21, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive3].site_config.http2_enabled", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive3].site_config.http2_enabled' should be set to true", + "actualValue": "'azurerm_app_service[positive3].site_config.http2_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive4].site_config", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive4].site_config.http2_enabled' should be defined and not null", + "actualValue": "'azurerm_linux_web_app[positive4].site_config.http2_enabled' is undefined or null", + "issueType": "IncorrectValue" }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive5].site_config.http2_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive5].site_config.http2_enabled' should be set to true", + "actualValue": "'azurerm_linux_web_app[positive5].site_config.http2_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive6].site_config.http2_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive6].site_config.http2_enabled' should be set to true", + "actualValue": "'azurerm_windows_web_app[positive6].site_config.http2_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive7.tf" + "filename": "positive7.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive7].site_config", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive7].site_config.http2_enabled' should be defined and not null", + "actualValue": "'azurerm_windows_web_app[positive7].site_config.http2_enabled' is undefined or null", + "issueType": "IncorrectValue" }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive8.tf" + "filename": "positive8.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive8]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive8].site_config' should be defined and not null", + "actualValue": "'azurerm_linux_web_app[positive8].site_config' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive9.tf" + "filename": "positive9.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive9]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive9].site_config' should be defined and not null", + "actualValue": "'azurerm_windows_web_app[positive9].site_config' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/app_service_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_managed_identity_disabled/test/positive_expected_result.json index b37828fec54..baeaf554f75 100644 --- a/assets/queries/terraform/azure/app_service_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_managed_identity_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "App Service Managed Identity Disabled", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-1]", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-1].identity' should be defined and not null", + "actualValue": "'azurerm_app_service[positive1-1].identity' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "App Service Managed Identity Disabled", "severity": "LOW", "line": 8, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive1-2]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive1-2].identity' should be defined and not null", + "actualValue": "'azurerm_linux_web_app[positive1-2].identity' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "App Service Managed Identity Disabled", "severity": "LOW", "line": 15, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive1-3]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive1-3].identity' should be defined and not null", + "actualValue": "'azurerm_windows_web_app[positive1-3].identity' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive_expected_result.json index 94a103e1fcd..3c4b0d5345a 100644 --- a/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -3,60 +3,130 @@ "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-1].site_config.min_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-1].site_config.min_tls_version' should be set to '1.2'", + "actualValue": "'azurerm_app_service[positive1-1].site_config.min_tls_version' is not set to '1.2'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 23, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-2].site_config.min_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-2].site_config.min_tls_version' should be set to '1.2'", + "actualValue": "'azurerm_app_service[positive1-2].site_config.min_tls_version' is not set to '1.2'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-1].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-1].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_linux_web_app[positive2-1].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 20, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-2].site_config", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-2].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_linux_web_app[positive2-2].site_config.minimum_tls_version' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 26, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-3]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-3].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_linux_web_app[positive2-3].site_config' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 43, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-4].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-4].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_linux_web_app[positive2-4].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 10, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-1].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-1].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_windows_web_app[positive3-1].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 20, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-2].site_config", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-2].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_windows_web_app[positive3-2].site_config.minimum_tls_version' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 26, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-3]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-3].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_windows_web_app[positive3-3].site_config' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 43, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-4].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-4].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_windows_web_app[positive3-4].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive_expected_result.json index af3369be556..9ef7b6be976 100644 --- a/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Beta - App Service Slot Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service_slot", + "resourceName": "${random_id.server.hex}", + "searchKey": "azurerm_app_service_slot[positive1]", + "searchValue": "", + "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Beta - App Service Slot Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app_slot", + "resourceName": "example-slot", + "searchKey": "azurerm_linux_web_app_slot[positive2]", + "searchValue": "", + "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Beta - App Service Slot Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app_slot", + "resourceName": "example-slot", + "searchKey": "azurerm_windows_web_app_slot[positive3]", + "searchValue": "", + "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/app_service_without_latest_php_version/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_without_latest_php_version/test/positive_expected_result.json index bbc8ad57827..39d10196361 100644 --- a/assets/queries/terraform/azure/app_service_without_latest_php_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_without_latest_php_version/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "App Service Without Latest PHP Version", "severity": "LOW", "line": 11, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example4-app-service", + "searchKey": "azurerm_app_service[example4].site_config.php_version", + "searchValue": "", + "expectedValue": "for the attribute 'php_version' should be the latest avaliable stable version (8.1)", + "actualValue": "'php_version' is not the latest avaliable stable version (8.1)", + "issueType": "IncorrectValue" }, { "queryName": "App Service Without Latest PHP Version", "severity": "LOW", "line": 25, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example5", + "searchKey": "azurerm_windows_web_app[example5].site_config.application_stack.php_version", + "searchValue": "", + "expectedValue": "for the attribute 'php_version' should be the latest avaliable stable version (8.1)", + "actualValue": "'php_version' is not the latest avaliable stable version (8.1)", + "issueType": "IncorrectValue" }, { "queryName": "App Service Without Latest PHP Version", "severity": "LOW", "line": 26, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example6", + "searchKey": "azurerm_linux_web_app[example6].site_config.application_stack.php_version", + "searchValue": "", + "expectedValue": "for the attribute 'php_version' should be the latest avaliable stable version (8.1)", + "actualValue": "'php_version' is not the latest avaliable stable version (8.1)", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/app_service_without_latest_python_version/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_without_latest_python_version/test/positive_expected_result.json index 1f732fee823..f2157c2c33f 100644 --- a/assets/queries/terraform/azure/app_service_without_latest_python_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_without_latest_python_version/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "App Service Without Latest Python Version", "severity": "LOW", "line": 11, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example4-app-service", + "searchKey": "azurerm_app_service[example4].site_config.python_version", + "searchValue": "", + "expectedValue": "attribute 'python_version' should be the latest avaliable stable version (3.10)", + "actualValue": "'python_version' is not the latest avaliable stable version (3.10)", + "issueType": "IncorrectValue" }, { "queryName": "App Service Without Latest Python Version", "severity": "LOW", "line": 25, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example5", + "searchKey": "azurerm_windows_web_app[example5].site_config.application_stack.python_version", + "searchValue": "", + "expectedValue": "attribute 'python_version' should be the latest avaliable stable version (3.10)", + "actualValue": "'python_version' is not the latest avaliable stable version (3.10)", + "issueType": "IncorrectValue" }, { "queryName": "App Service Without Latest Python Version", "severity": "LOW", "line": 26, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example6", + "searchKey": "azurerm_linux_web_app[example6].site_config.application_stack.python_version", + "searchValue": "", + "expectedValue": "attribute 'python_version' should be the latest avaliable stable version (3.10)", + "actualValue": "'python_version' is not the latest avaliable stable version (3.10)", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/azure_active_directory_authentication/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_active_directory_authentication/test/positive_expected_result.json index 91d2eee41fa..515467342db 100644 --- a/assets/queries/terraform/azure/azure_active_directory_authentication/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_active_directory_authentication/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Azure Active Directory Authentication", "severity": "LOW", "line": 19, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_service_fabric_cluster", + "resourceName": "positive1", + "searchKey": "azurerm_service_fabric_cluster[positive1].azure_active_directory", + "searchValue": "", + "expectedValue": "'azurerm_service_fabric_cluster[positive1].azure_active_directory.tenant_id' should be defined and not null", + "actualValue": "'azurerm_service_fabric_cluster[positive1].azure_active_directory.tenant_id' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Azure Active Directory Authentication", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_service_fabric_cluster", + "resourceName": "example-servicefabric", + "searchKey": "azurerm_service_fabric_cluster[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_service_fabric_cluster[positive2].azure_active_directory' should be defined and not null", + "actualValue": "'azurerm_service_fabric_cluster[positive2].azure_active_directory' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive_expected_result.json index 51f53fa12ff..00779e22de2 100644 --- a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive_expected_result.json @@ -3,84 +3,182 @@ "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-1]", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-1].client_cert_enabled' should be defined and set to true", + "actualValue": "'azurerm_app_service[positive1-1].client_cert_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-2].client_cert_enabled", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-2].client_cert_enabled' should be set to true", + "actualValue": "'azurerm_app_service[positive1-2].client_cert_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 27, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-3].client_cert_enabled", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-3].client_cert_enabled' or 'azurerm_app_service[positive1-3].site_config.http2_enabled' is true", + "actualValue": "'azurerm_app_service[positive1-3].client_cert_enabled' and 'azurerm_app_service[positive1-3].site_config.http2_enabled' are set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 30, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-4]", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-4].client_cert_enabled' should be defined and set to true", + "actualValue": "'azurerm_app_service[positive1-4].client_cert_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 41, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-5]", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-5].client_cert_enabled' should be defined and set to true", + "actualValue": "'azurerm_app_service[positive1-5].client_cert_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 58, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-6].client_cert_enabled", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-6].client_cert_enabled' should be set to true", + "actualValue": "'azurerm_app_service[positive1-6].client_cert_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-1].client_certificate_enabled' should be defined and set to true", + "actualValue": "'azurerm_linux_web_app[positive2-1].client_cert_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 17, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-2].client_certificate_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-2].client_certificate_enabled' should be set to true", + "actualValue": "'azurerm_linux_web_app[positive2-2].client_certificate_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 30, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-3].client_certificate_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-3].client_certificate_enabled' or 'azurerm_linux_web_app[positive2-3].site_config.http2_enabled' is true", + "actualValue": "'azurerm_linux_web_app[positive2-3].client_certificate_enabled' and 'azurerm_linux_web_app[positive2-3].site_config.http2_enabled' are set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 33, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-4]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-4].client_certificate_enabled' should be defined and set to true", + "actualValue": "'azurerm_linux_web_app[positive2-4].client_cert_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-1].client_certificate_enabled' should be defined and set to true", + "actualValue": "'azurerm_windows_web_app[positive3-1].client_cert_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 17, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-2].client_certificate_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-2].client_certificate_enabled' should be set to true", + "actualValue": "'azurerm_windows_web_app[positive3-2].client_certificate_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 30, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-3].client_certificate_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-3].client_certificate_enabled' or 'azurerm_windows_web_app[positive3-3].site_config.http2_enabled' is true", + "actualValue": "'azurerm_windows_web_app[positive3-3].client_certificate_enabled' and 'azurerm_windows_web_app[positive3-3].site_config.http2_enabled' are set to false", + "issueType": "IncorrectValue" }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 33, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-4]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-4].client_certificate_enabled' should be defined and set to true", + "actualValue": "'azurerm_windows_web_app[positive3-4].client_cert_enabled' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/test/positive_expected_result.json index 3e237b95c0c..9f34d13c186 100644 --- a/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Azure Cognitive Search Public Network Access Enabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_search_service", + "resourceName": "example-search-service", + "searchKey": "azurerm_search_service[positive1].public_network_access_enabled", + "searchValue": "", + "expectedValue": "'azurerm_search_service[positive1].public_network_access_enabled' should be set to false", + "actualValue": "'azurerm_search_service[positive1].public_network_access_enabled' is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Azure Cognitive Search Public Network Access Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_search_service", + "resourceName": "example-search-service", + "searchKey": "azurerm_search_service[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_search_service[positive2].public_network_access_enabled' should be defined and set to false", + "actualValue": "'azurerm_search_service[positive2].public_network_access_enabled' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json index a55c056c993..b6343280a5c 100644 --- a/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Beta - Azure Container Registry With Broad Permissions", "severity": "HIGH", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive1", + "searchKey": "azurerm_role_assignment[positive1].role_definition_name", + "searchValue": "", + "expectedValue": "'azurerm_role_assignment[positive1].role_definition_name' should be set to 'AcrPull'", + "actualValue": "'azurerm_role_assignment[positive1].role_definition_name' is set to 'AcrPush'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Azure Container Registry With Broad Permissions", "severity": "HIGH", - "line": 17 + "line": 17, + "filename": "positive.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive2", + "searchKey": "azurerm_role_assignment[positive2].role_definition_id", + "searchValue": "", + "expectedValue": "'azurerm_role_assignment[positive2].role_definition_id' should be set to '7f951dda-4ed3-4680-a7ca-43fe172d538d'", + "actualValue": "'azurerm_role_assignment[positive2].role_definition_id' is set to '8311e382-0749-4cb8-b61a-304f252e45ec'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json index a1135b0d7d6..ee602eb08ca 100644 --- a/assets/queries/terraform/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Azure Container Registry With No Locks", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_container_registry", + "resourceName": "containerRegistry1", + "searchKey": "azurerm_container_registry[acr]", + "searchValue": "", + "expectedValue": "'azurerm_container_registry[acr] scope' should contain azurerm_management_lock'", + "actualValue": "'azurerm_container_registry[acr] scope' does not contain azurerm_management_lock'", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/azure_front_door_waf_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_front_door_waf_disabled/test/positive_expected_result.json index 2963574a101..b065095a38c 100644 --- a/assets/queries/terraform/azure/azure_front_door_waf_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_front_door_waf_disabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Azure Front Door WAF Disabled", "severity": "LOW", "line": 38, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_frontdoor", + "resourceName": "exampleFrontendEndpoint1", + "searchKey": "azurerm_frontdoor[positive].frontend_endpoint", + "searchValue": "", + "expectedValue": "'azurerm_frontdoor[positive].frontend_endpoint.web_application_firewall_policy_link_id' should be defined and not null", + "actualValue": "'azurerm_frontdoor[positive].frontend_endpoint.web_application_firewall_policy_link_id' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json index 43fe5a014b0..d3f0a8ee4da 100644 --- a/assets/queries/terraform/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive1].os_profile_linux_config.disable_password_authentication", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine[positive1].os_profile_linux_config.disable_password_authentication' should be set to 'true'", + "actualValue": "'azurerm_virtual_machine[positive1].os_profile_linux_config.disable_password_authentication' is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_linux_virtual_machine[positive2].disable_password_authentication", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive2].disable_password_authentication' should be set to 'true'", + "actualValue": "'azurerm_linux_virtual_machine[positive2].disable_password_authentication' is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", "line": 9, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive3-vmss", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive3].disable_password_authentication", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive3].disable_password_authentication' should be set to 'true'", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive3].disable_password_authentication' is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", "line": 7, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_virtual_machine_scale_set", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine_scale_set[positive4].os_profile_linux_config.disable_password_authentication", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine_scale_set[positive4].os_profile_linux_config.disable_password_authentication' should be set to 'true'", + "actualValue": "'azurerm_virtual_machine_scale_set[positive4].os_profile_linux_config.disable_password_authentication' is set to 'false'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json b/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json index 28409aaffa7..856440e3a9b 100644 --- a/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Beta - Backup Vault Without Immutability", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive1.tf", + "resourceType": "azurerm_data_protection_backup_vault", + "resourceName": "positive1-backup-vault", + "searchKey": "azurerm_data_protection_backup_vault[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_data_protection_backup_vault[positive1].immutability' should be set and enabled", + "actualValue": "'azurerm_data_protection_backup_vault[positive1].immutability' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Backup Vault Without Immutability", "severity": "HIGH", - "line": 18 + "line": 18, + "filename": "positive1.tf", + "resourceType": "azurerm_data_protection_backup_vault", + "resourceName": "positive2-backup-vault", + "searchKey": "azurerm_data_protection_backup_vault[positive2].immutability", + "searchValue": "", + "expectedValue": "'azurerm_data_protection_backup_vault[positive2].immutability' should be set and enabled", + "actualValue": "'azurerm_data_protection_backup_vault[positive2].immutability' is set to 'Disabled'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/backup_vault_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/backup_vault_without_soft_delete/test/positive_expected_result.json index e8f3a037e3a..ab6c447c689 100644 --- a/assets/queries/terraform/azure/backup_vault_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/backup_vault_without_soft_delete/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Beta - Backup Vault Without Soft Delete", "severity": "HIGH", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "azurerm_data_protection_backup_vault", + "resourceName": "positive-backup-vault", + "searchKey": "azurerm_data_protection_backup_vault[positive].soft_delete", + "searchValue": "", + "expectedValue": "'azurerm_data_protection_backup_vault[positive].soft_delete' should not be set to 'off'", + "actualValue": "'azurerm_data_protection_backup_vault[positive].soft_delete' is set to 'off'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/blob_storage_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/blob_storage_without_soft_delete/test/positive_expected_result.json index a64968ceb9f..b9c4413aeac 100644 --- a/assets/queries/terraform/azure/blob_storage_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/blob_storage_without_soft_delete/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Beta - Blob Storage Without Soft Delete", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1].blob_properties.delete_retention_policy' should be defined and not null", + "actualValue": "'azurerm_storage_account[positive1].blob_properties' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Blob Storage Without Soft Delete", "severity": "HIGH", - "line": 18 + "line": 18, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive2", + "searchKey": "azurerm_storage_account[positive2].blob_properties", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive2].blob_properties.delete_retention_policy' should be defined and not null", + "actualValue": "'azurerm_storage_account[positive2].blob_properties.delete_retention_policy' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Blob Storage Without Soft Delete", "severity": "HIGH", - "line": 32 + "line": 32, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive3", + "searchKey": "azurerm_storage_account[positive3].blob_properties.delete_retention_policy.days", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive3].blob_properties.delete_retention_policy.days' should be set to a value higher than '6'", + "actualValue": "'azurerm_storage_account[positive3].blob_properties.delete_retention_policy.days' is set to '5'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/container_app_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/container_app_managed_identity_disabled/test/positive_expected_result.json index c7e794f2269..f2fa176aa39 100644 --- a/assets/queries/terraform/azure/container_app_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/container_app_managed_identity_disabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Beta - Container App Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_container_app", + "resourceName": "example-app", + "searchKey": "azurerm_container_app[positive]", + "searchValue": "", + "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/container_group_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/container_group_managed_identity_disabled/test/positive_expected_result.json index 14401d8bbd1..1e5dd8ee4f8 100644 --- a/assets/queries/terraform/azure/container_group_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/container_group_managed_identity_disabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Beta - Container Group Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_container_group", + "resourceName": "example-continst", + "searchKey": "azurerm_container_group[positive]", + "searchValue": "", + "expectedValue": "'type' field should have the values 'SystemAssigned' and 'UserAssigned' defined inside the 'identity' block", + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/test/positive_expected_result.json b/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/test/positive_expected_result.json index 56b4b8144b1..b7aab152601 100644 --- a/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Beta - Container Instances Not Using Private Virtual Networks", "severity": "LOW", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_container_group", + "resourceName": "cg-positive1", + "searchKey": "azurerm_container_group[positive1]", + "searchValue": "", + "expectedValue": "'ip_address_type' should be set to 'Private'", + "actualValue": "'ip_address_type' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Container Instances Not Using Private Virtual Networks", "severity": "LOW", "line": 7, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_container_group", + "resourceName": "cg-positive2", + "searchKey": "azurerm_container_group[positive2].ip_address_type", + "searchValue": "", + "expectedValue": "'ip_address_type' should be set to 'Private'", + "actualValue": "'ip_address_type' is defined to 'Public'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Container Instances Not Using Private Virtual Networks", "severity": "LOW", "line": 7, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_container_group", + "resourceName": "cg-positive3", + "searchKey": "azurerm_container_group[positive3].ip_address_type", + "searchValue": "", + "expectedValue": "'ip_address_type' should be set to 'Private'", + "actualValue": "'ip_address_type' is defined to 'None'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/containers_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/containers_without_soft_delete/test/positive_expected_result.json index a7af79fc475..1df09ee4932 100644 --- a/assets/queries/terraform/azure/containers_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/containers_without_soft_delete/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Beta - Containers Without Soft Delete", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1].blob_properties.container_delete_retention_policy' should be defined and not null", + "actualValue": "'azurerm_storage_account[positive1].blob_properties' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Containers Without Soft Delete", "severity": "HIGH", - "line": 18 + "line": 18, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive2", + "searchKey": "azurerm_storage_account[positive2].blob_properties", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive2].blob_properties.container_delete_retention_policy' should be defined and not null", + "actualValue": "'azurerm_storage_account[positive2].blob_properties.container_delete_retention_policy' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Containers Without Soft Delete", "severity": "HIGH", - "line": 32 + "line": 32, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive3", + "searchKey": "azurerm_storage_account[positive3].blob_properties.container_delete_retention_policy.days", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive3].blob_properties.container_delete_retention_policy.days' should be set to a value higher than '6'", + "actualValue": "'azurerm_storage_account[positive3].blob_properties.container_delete_retention_policy' is set to '5'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/cosmos_db_account_without_tags/test/positive_expected_result.json b/assets/queries/terraform/azure/cosmos_db_account_without_tags/test/positive_expected_result.json index e8c803b83b9..b81ad5c4908 100644 --- a/assets/queries/terraform/azure/cosmos_db_account_without_tags/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/cosmos_db_account_without_tags/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Cosmos DB Account Without Tags", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_cosmosdb_account", + "resourceName": "tfex-cosmos-db-${random_integer.ri.result}", + "searchKey": "azurerm_cosmosdb_account[positive1]", + "searchValue": "", + "expectedValue": "azurerm_cosmosdb_account[positive1].tags should be defined'", + "actualValue": "azurerm_cosmosdb_account[positive1].tags is undefined'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json index fedbf8ded29..22ea67d8e9e 100644 --- a/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "CosmosDB Account IP Range Filter Not Set", "severity": "CRITICAL", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_cosmosdb_account", + "resourceName": "example", + "searchKey": "azurerm_cosmosdb_account[positive1].ip_range_filter", + "searchValue": "", + "expectedValue": "'azurerm_cosmosdb_account[positive1].ip_range_filter' should be set", + "actualValue": "'azurerm_cosmosdb_account[positive1].ip_range_filter' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/dashboard_is_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/dashboard_is_enabled/test/positive_expected_result.json index 923c8c0a0e3..f8995cebf67 100644 --- a/assets/queries/terraform/azure/dashboard_is_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/dashboard_is_enabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Dashboard Is Enabled", "severity": "LOW", - "line": 23 + "line": 23, + "filename": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive1].addon_profile.kube_dashboard.enabled", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive1].addon_profile.kube_dashboard.enabled' should be set to false or undefined", + "actualValue": "'azurerm_kubernetes_cluster[positive1].addon_profile.kube_dashboard.enabled' is true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/test/positive_expected_result.json index 187af373e28..31233566500 100644 --- a/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "Beta - Databricks Diagnostic Logging Not Configured", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "secure-databricks-ws", + "searchKey": "azurerm_databricks_workspace[example_pos1]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", + "actualValue": "'azurerm_databricks_workspace' is not associated with an 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Databricks Diagnostic Logging Not Configured", "severity": "MEDIUM", "line": 36, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "secure-databricks-ws", + "searchKey": "azurerm_databricks_workspace[example_pos2]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", + "actualValue": "'azurerm_databricks_workspace' is associated with 3 'azurerm_monitor_diagnostic_setting' resource(s), but is missing logs for 3 category(s): 'Filesystem', 'jobs', 'notebook'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Databricks Diagnostic Logging Not Configured", "severity": "MEDIUM", "line": 73, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "secure-databricks-ws", + "searchKey": "azurerm_databricks_workspace[example_pos3]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", + "actualValue": "'azurerm_databricks_workspace' is associated with 4 'azurerm_monitor_diagnostic_setting' resource(s), but is missing logs for 1 category(s): 'notebook'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Databricks Diagnostic Logging Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "secure-databricks-ws", + "searchKey": "azurerm_databricks_workspace[example_pos4]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", + "actualValue": "'azurerm_databricks_workspace' is not associated with an 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Databricks Diagnostic Logging Not Configured", "severity": "MEDIUM", "line": 60, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "secure-databricks-ws", + "searchKey": "azurerm_databricks_workspace[example_pos5]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", + "actualValue": "'azurerm_databricks_workspace' is associated with 2 'azurerm_monitor_diagnostic_setting' resource(s), but is missing logs for 5 category(s): 'Filesystem', 'accounts', 'clusters', 'jobs', 'notebook'", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/databricks_workspace_using_default_virtual_network/test/positive_expected_result.json b/assets/queries/terraform/azure/databricks_workspace_using_default_virtual_network/test/positive_expected_result.json index cc33fc2692e..42b4f66f88d 100644 --- a/assets/queries/terraform/azure/databricks_workspace_using_default_virtual_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/databricks_workspace_using_default_virtual_network/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Beta - Databricks Workspace Using Default Virtual Network", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "example-dbw", + "searchKey": "azurerm_databricks_workspace[example_1]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace[example_1].custom_parameters.virtual_network_id' should be defined and not empty", + "actualValue": "'azurerm_databricks_workspace[example_1].custom_parameters' is undefined or empty", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Databricks Workspace Using Default Virtual Network", "severity": "MEDIUM", - "line": 18 + "line": 18, + "filename": "positive.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "example-dbw", + "searchKey": "azurerm_databricks_workspace[example_2].custom_parameters", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace[example_2].custom_parameters.virtual_network_id' should be defined and not null", + "actualValue": "'azurerm_databricks_workspace[example_2].custom_parameters.virtual_network_id' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/databricks_workspace_without_cmk/test/positive_expected_result.json b/assets/queries/terraform/azure/databricks_workspace_without_cmk/test/positive_expected_result.json index 332b460e838..f4b125c1fa2 100644 --- a/assets/queries/terraform/azure/databricks_workspace_without_cmk/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/databricks_workspace_without_cmk/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "Beta - Databricks Workspace Without CMK", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "my-databricks-workspace", + "searchKey": "azurerm_databricks_workspace[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace[positive1].managed_disk_cmk_key_vault_key_id' should be defined and not null", + "actualValue": "'azurerm_databricks_workspace[positive1].managed_disk_cmk_key_vault_key_id' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Databricks Workspace Without CMK", "severity": "MEDIUM", - "line": 17 + "line": 17, + "filename": "positive.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "my-databricks-workspace", + "searchKey": "azurerm_databricks_workspace[positive2].customer_managed_key_enabled", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace[positive2].customer_managed_key_enabled' should be defined and set to true", + "actualValue": "'azurerm_databricks_workspace[positive2].customer_managed_key_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Databricks Workspace Without CMK", "severity": "MEDIUM", - "line": 27 + "line": 27, + "filename": "positive.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "my-databricks-workspace", + "searchKey": "azurerm_databricks_workspace[positive3].customer_managed_key_enabled", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace[positive3].customer_managed_key_enabled' should be defined and set to true", + "actualValue": "'azurerm_databricks_workspace[positive3].customer_managed_key_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Databricks Workspace Without CMK", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "my-databricks-workspace", + "searchKey": "azurerm_databricks_workspace[positive4]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace[positive4].customer_managed_key_enabled' should be defined and set to true", + "actualValue": "'azurerm_databricks_workspace[positive4].customer_managed_key_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Databricks Workspace Without CMK", "severity": "MEDIUM", - "line": 41 + "line": 41, + "filename": "positive.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "my-databricks-workspace", + "searchKey": "azurerm_databricks_workspace[positive5]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace[positive5].customer_managed_key_enabled' should be defined and set to true", + "actualValue": "'azurerm_databricks_workspace[positive5].customer_managed_key_enabled' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json b/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json index eb2a0914d74..6dce666ede5 100644 --- a/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", "line": 30, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1storageaccount", + "searchKey": "azurerm_storage_account[positive1].network_rules.default_action", + "searchValue": "", + "expectedValue": "azurerm_storage_account.network_rules.default_action should be set to 'Deny'", + "actualValue": "azurerm_storage_account.network_rules.default_action is set to 'Allow'", + "issueType": "IncorrectValue" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", "line": 38, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive2storageaccount", + "searchKey": "azurerm_storage_account_network_rules[positive2].default_action", + "searchValue": "", + "expectedValue": "azurerm_storage_account_network_rules.default_action should be set to 'Deny'", + "actualValue": "azurerm_storage_account_network_rules.default_action is set to 'Allow'", + "issueType": "IncorrectValue" }, - { + { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", "line": 12, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive3storageaccount", + "searchKey": "azurerm_storage_account[positive3].public_network_access_enabled", + "searchValue": "", + "expectedValue": "azurerm_storage_account.public_network_access_enabled should be set to 'false'", + "actualValue": "azurerm_storage_account.public_network_access_enabled set to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", "line": 6, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive4storageaccount", + "searchKey": "azurerm_storage_account[positive4].public_network_access_enabled", + "searchValue": "", + "expectedValue": "azurerm_storage_account.public_network_access_enabled should be set to 'false'", + "actualValue": "azurerm_storage_account.public_network_access_enabled is not set (default is 'true')", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json b/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json index b1c5948ab12..3592b3a5781 100644 --- a/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "diagnostic-settings-name", + "searchKey": "azurerm_monitor_diagnostic_setting[positive1_1]", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive1_1].enabled_log' objects should be defined for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive1_1]' does not define a single 'enabled_log' object", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "diagnostic-settings-name", + "searchKey": "azurerm_monitor_diagnostic_setting[positive1_2]", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive1_2].enabled_log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive1_2].enabled_log' objects do not enable logging for 3 of the main categories: 'Alert', 'Policy', 'Security'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", "line": 18, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "diagnostic-settings-name", + "searchKey": "azurerm_monitor_diagnostic_setting[positive1_3]", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive1_3].enabled_log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive1_3].enabled_log' objects do not enable logging for 2 of the main categories: 'Policy', 'Security'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "diagnostic-settings-name", + "searchKey": "azurerm_monitor_diagnostic_setting[positive2_1]", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_1].log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_1].log' objects do not enable logging for 3 of the main categories: 'Alert', 'Policy', 'Security'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", "line": 13, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "diagnostic-settings-name", + "searchKey": "azurerm_monitor_diagnostic_setting[positive2_2]", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_2].log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_2].log' objects do not enable logging for 4 of the main categories: 'Administrative', 'Alert', 'Policy', 'Security'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", "line": 23, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "diagnostic-settings-name", + "searchKey": "azurerm_monitor_diagnostic_setting[positive2_3]", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_3].log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_3].log' objects do not enable logging for 2 of the main categories: 'Alert', 'Policy'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", "line": 39, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "diagnostic-settings-name", + "searchKey": "azurerm_monitor_diagnostic_setting[positive2_4]", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_4].log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_4].log' objects do not enable logging for 1 of the main categories: 'Administrative'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled/test/positive_expected_result.json index 578e1f6b4c9..5e8285fe0d9 100644 --- a/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Beta - Disk Encryption On Managed Disk Disabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_managed_disk", + "resourceName": "secure-vm-disk", + "searchKey": "azurerm_managed_disk[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_managed_disk[positive1]' should set a 'disk_encryption_set_id' or 'secure_vm_disk_encryption_set_id'", + "actualValue": "'azurerm_managed_disk[positive1]' does not set a disk encryption id field", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/email_alerts_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/email_alerts_disabled/test/positive_expected_result.json index 4c12200c167..b18a896e329 100644 --- a/assets/queries/terraform/azure/email_alerts_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/email_alerts_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Email Alerts Disabled", "severity": "MEDIUM", - "line": 4 + "line": 4, + "filename": "positive.tf", + "resourceType": "azurerm_security_center_contact", + "resourceName": "positive1", + "searchKey": "azurerm_security_center_contact[positive1].alert_notifications", + "searchValue": "", + "expectedValue": "'azurerm_security_center_contact.positive1.alert_notifications' should be true", + "actualValue": "'azurerm_security_center_contact.positive1.alert_notifications' is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/test/positive_expected_result.json index 22ca038752f..a01bdcd7b7f 100644 --- a/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/test/positive_expected_result.json @@ -2,21 +2,53 @@ { "queryName": "Encryption On Managed Disk Disabled", "severity": "MEDIUM", - "line": 10 + "line": 10, + "filename": "positive.tf", + "resourceType": "azurerm_managed_disk", + "resourceName": "acctestmd", + "searchKey": "azurerm_managed_disk[positive1].encryption_settings.enabled", + "searchValue": "", + "expectedValue": "'azurerm_managed_disk[positive1].encryption_settings.enabled' should be set to true", + "actualValue": "'azurerm_managed_disk[positive1].encryption_settings.enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Encryption On Managed Disk Disabled", "severity": "MEDIUM", - "line": 14 + "line": 14, + "filename": "positive.tf", + "resourceType": "azurerm_managed_disk", + "resourceName": "acctestmd", + "searchKey": "azurerm_managed_disk[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_managed_disk[positive2].encryption_settings' should be defined and not null", + "actualValue": "'azurerm_managed_disk[positive2].encryption_settings' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Encryption On Managed Disk Disabled", "severity": "MEDIUM", - "line": 33 + "line": 33, + "filename": "positive.tf", + "resourceType": "azurerm_managed_disk", + "resourceName": "acctestmd", + "searchKey": "azurerm_managed_disk[positive3].encryption_settings", + "searchValue": "", + "expectedValue": "'azurerm_managed_disk[positive3].encryption_settings' should be defined and not null", + "actualValue": "'azurerm_managed_disk[positive3].encryption_settings' is set to '{}", + "issueType": "IncorrectValue" }, { "queryName": "Encryption On Managed Disk Disabled", "severity": "MEDIUM", - "line": 44 + "line": 44, + "filename": "positive.tf", + "resourceType": "azurerm_managed_disk", + "resourceName": "acctestmd", + "searchKey": "azurerm_managed_disk[positive4].encryption_settings", + "searchValue": "", + "expectedValue": "'azurerm_managed_disk[positive4].encryption_settings' should be defined and not null", + "actualValue": "'azurerm_managed_disk[positive4].encryption_settings' is set to '[]", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/file_share_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/file_share_without_soft_delete/test/positive_expected_result.json index d4b428e8a74..022be120ee7 100644 --- a/assets/queries/terraform/azure/file_share_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/file_share_without_soft_delete/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Beta - File Share Without Soft Delete", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1].share_properties.retention_policy' should be defined and not null", + "actualValue": "'azurerm_storage_account[positive1].share_properties' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - File Share Without Soft Delete", "severity": "HIGH", - "line": 18 + "line": 18, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive2", + "searchKey": "azurerm_storage_account[positive2].share_properties", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive2].share_properties.retention_policy' should be defined and not null", + "actualValue": "'azurerm_storage_account[positive2].share_properties.retention_policy' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json b/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json index 7e4bf7c151c..0793bff0a62 100644 --- a/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Firewall Rule Allows Too Many Hosts To Access Redis Cache", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "azurerm_redis_firewall_rule", + "resourceName": "someIPrange", + "searchKey": "azurerm_redis_firewall_rule[positive1].start_ip", + "searchValue": "", + "expectedValue": "'azurerm_redis_firewall_rule[positive1].start_ip' and 'end_ip' should allow no more than 255 hosts", + "actualValue": "'azurerm_redis_firewall_rule[positive1].start_ip' and 'end_ip' allow %!s(int=33554432) hosts", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json index fa06e87e1af..f5bed1e0c53 100644 --- a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json @@ -3,84 +3,182 @@ "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_function_app[positive1-1]", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-1].auth_settings' should be defined", + "actualValue": "'azurerm_function_app[positive1-1].auth_settings' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 25, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "example-app-service", + "searchKey": "'azurerm_function_app[positive1-2].auth_settings.enabled'", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-2].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_function_app[positive1-2].auth_settings.enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_function_app[positive2-1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-1].auth_settings' or 'azurerm_linux_function_app[positive2-1].auth_settings_v2' should be defined", + "actualValue": "'azurerm_linux_function_app[positive2-1].auth_settings' and 'azurerm_linux_function_app[positive2-1].auth_settings_v2' are not defined", + "issueType": "MissingAttribute" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 16, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "example-app-service", + "searchKey": "'azurerm_linux_function_app[positive2-2].auth_settings.enabled'", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-2].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_linux_function_app[positive2-2].auth_settings.enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 26, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_function_app[positive2-3].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-3].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_linux_function_app[positive2-3].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 39, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_function_app[positive2-4].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-4].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_linux_function_app[positive2-4].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 52, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_function_app[positive2-5].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-5].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_linux_function_app[positive2-5].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 68, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_function_app[positive2-6].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-6].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_linux_function_app[positive2-6].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_function_app[positive3-1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-1].auth_settings' or 'azurerm_windows_function_app[positive3-1].auth_settings_v2' should be defined", + "actualValue": "'azurerm_windows_function_app[positive3-1].auth_settings' and 'azurerm_windows_function_app[positive3-1].auth_settings_v2' are not defined", + "issueType": "MissingAttribute" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 16, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "example-app-service", + "searchKey": "'azurerm_windows_function_app[positive3-2].auth_settings.enabled'", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-2].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_function_app[positive3-2].auth_settings.enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 26, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_function_app[positive3-3].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-3].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_windows_function_app[positive3-3].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 39, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_function_app[positive3-4].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-4].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_function_app[positive3-4].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 52, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_function_app[positive3-5].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-5].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_windows_function_app[positive3-5].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 68, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_function_app[positive3-6].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-6].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_function_app[positive3-6].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json index 08a4877d02b..7677e6c29af 100644 --- a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Function App Client Certificates Unrequired", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-1]", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-1].client_cert_mode' should be defined and not null", + "actualValue": "'azurerm_function_app[positive1-1].client_cert_mode' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Function App Client Certificates Unrequired", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-2].client_cert_mode", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-2].client_cert_mode' should be set to 'Required'", + "actualValue": "'azurerm_function_app[positive1-2].client_cert_mode' is not set to 'Required'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Client Certificates Unrequired", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-1].client_certificate_mode' should be defined and not null", + "actualValue": "'azurerm_linux_function_app[positive2-1].client_certificate_mode' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Function App Client Certificates Unrequired", "severity": "MEDIUM", "line": 14, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-2].client_certificate_mode", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-2].client_certificate_mode' should be set to 'Required'", + "actualValue": "'azurerm_linux_function_app[positive2-2].client_certificate_mode' is not set to 'Required'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Client Certificates Unrequired", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-1].client_certificate_mode' should be defined and not null", + "actualValue": "'azurerm_windows_function_app[positive3-1].client_certificate_mode' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Function App Client Certificates Unrequired", "severity": "MEDIUM", "line": 14, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-2].client_certificate_mode", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-2].client_certificate_mode' should be set to 'Required'", + "actualValue": "'azurerm_windows_function_app[positive3-2].client_certificate_mode' is not set to 'Required'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/positive_expected_result.json index 2853e315054..ca859b9fd16 100644 --- a/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Beta - Function App Deployment Slot Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_linux_function_app_slot", + "resourceName": "example-linux-function-app-slot", + "searchKey": "azurerm_linux_function_app_slot[positive1].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'site_config.minimum_tls_version' should be defined to '1.2' or higher", + "actualValue": "'site_config.minimum_tls_version' is defined to '1.1'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Function App Deployment Slot Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_windows_function_app_slot", + "resourceName": "example-slot", + "searchKey": "azurerm_windows_function_app_slot[positive2].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'site_config.minimum_tls_version' should be defined to '1.2' or higher", + "actualValue": "'site_config.minimum_tls_version' is defined to '1.1'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json index add34a22f4a..fd732bd5e5b 100644 --- a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "Function App FTPS Enforce Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-1].site_config.ftps_state", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-1].site_config.ftps_state' should not be set to 'AllAllowed'", + "actualValue": "'azurerm_function_app[positive1-1].site_config.ftps_state' is set to 'AllAllowed'", + "issueType": "IncorrectValue" }, { "queryName": "Function App FTPS Enforce Disabled", "severity": "MEDIUM", "line": 19, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-2].site_config'", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-2].site_config.ftps_state' should be defined and not null", + "actualValue": "'azurerm_function_app[positive1-2].site_config.ftps_state' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Function App FTPS Enforce Disabled", "severity": "MEDIUM", "line": 24, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-3]'", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-3].site_config.ftps_state' should be defined and not null", + "actualValue": "'azurerm_function_app[positive1-3].site_config.ftps_state' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Function App FTPS Enforce Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2].site_config.ftps_state", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2].site_config.ftps_state' should not be set to 'AllAllowed'", + "actualValue": "'azurerm_linux_function_app[positive2].site_config.ftps_state' is set to 'AllAllowed'", + "issueType": "IncorrectValue" }, { "queryName": "Function App FTPS Enforce Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3].site_config.ftps_state", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3].site_config.ftps_state' should not be set to 'AllAllowed'", + "actualValue": "'azurerm_windows_function_app[positive3].site_config.ftps_state' is set to 'AllAllowed'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json index d82199717ca..ac87ccc1c85 100644 --- a/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json @@ -3,54 +3,117 @@ "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-1]", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-1].site_config' should be defined and not null", + "actualValue": "'azurerm_function_app[positive1-1].site_config' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-2].site_config", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-2].site_config.http2_enabled' should be defined and not null", + "actualValue": "'azurerm_function_app[positive1-2].site_config.http2_enabled' is undefined or null", + "issueType": "IncorrectValue" }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 29, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-3].site_config.http2_enabled", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-3].site_config.http2_enabled' should be set to true", + "actualValue": "'azurerm_function_app[positive1-3].site_config.http2_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-1].site_config' should be defined and not null", + "actualValue": "'azurerm_linux_function_app[positive2-1].site_config' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-2].site_config", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-2].site_config.http2_enabled' should be defined and not null", + "actualValue": "'azurerm_linux_function_app[positive2-2].site_config.http2_enabled' is undefined or null", + "issueType": "IncorrectValue" }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 29, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-3].site_config.http2_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-3].site_config.http2_enabled' should be set to true", + "actualValue": "'azurerm_linux_function_app[positive2-3].site_config.http2_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-1].site_config' should be defined and not null", + "actualValue": "'azurerm_windows_function_app[positive3-1].site_config' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-2].site_config", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-2].site_config.http2_enabled' should be defined and not null", + "actualValue": "'azurerm_windows_function_app[positive3-2].site_config.http2_enabled' is undefined or null", + "issueType": "IncorrectValue" }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 29, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-3].site_config.http2_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-3].site_config.http2_enabled' should be set to true", + "actualValue": "'azurerm_windows_function_app[positive3-3].site_config.http2_enabled' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive_expected_result.json index 260582022d7..1135d70385d 100644 --- a/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Function App Managed Identity Disabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1].identity' should be defined and not null", + "actualValue": "'azurerm_function_app[positive1].identity' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Function App Managed Identity Disabled", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2].identity' should be defined and not null", + "actualValue": "'azurerm_linux_function_app[positive2].identity' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Function App Managed Identity Disabled", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3]", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3].identity' should be defined and not null", + "actualValue": "'azurerm_windows_function_app[positive3].identity' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json index ba44ed4278c..baf4e891299 100644 --- a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -3,60 +3,130 @@ "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-1].site_config.min_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-1].site_config.min_tls_version' should be set to '1.2'", + "actualValue": "'azurerm_function_app[positive1-1].site_config.min_tls_version' is not set to '1.2'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 21, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-2].site_config.min_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-2].site_config.min_tls_version' should be set to '1.2'", + "actualValue": "'azurerm_function_app[positive1-2].site_config.min_tls_version' is not set to '1.2'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-1].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-1].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_linux_function_app[positive2-1].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-2].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-2].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_linux_function_app[positive2-2].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 31, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-3].site_config", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-3].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_linux_function_app[positive2-3].site_config.minimum_tls_version' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 37, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-4]", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-4].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_linux_function_app[positive2-4].site_config' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 9, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-1].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-1].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_windows_function_app[positive3-1].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 21, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-2].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-2].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_windows_function_app[positive3-2].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 31, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-3].site_config", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-3].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_windows_function_app[positive3-3].site_config.minimum_tls_version' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 37, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-4]", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-4].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_windows_function_app[positive3-4].site_config' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/geo_redundancy_is_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/geo_redundancy_is_disabled/test/positive_expected_result.json index 46237c30c6e..12428b200b5 100644 --- a/assets/queries/terraform/azure/geo_redundancy_is_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/geo_redundancy_is_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Geo Redundancy Is Disabled", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "dbserver", + "searchKey": "azurerm_postgresql_server[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server.positive1.geo_redundant_backup_enabled' should be set", + "actualValue": "'azurerm_postgresql_server.positive1.geo_redundant_backup_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Geo Redundancy Is Disabled", "severity": "LOW", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "dbserver", + "searchKey": "azurerm_postgresql_server[positive2].geo_redundant_backup_enabled", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server.positive2.geo_redundant_backup_enabled' should be true", + "actualValue": "'azurerm_postgresql_server.positive2.geo_redundant_backup_enabled' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/key_expiration_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/key_expiration_not_set/test/positive_expected_result.json index d7155771566..4e1a229abf0 100644 --- a/assets/queries/terraform/azure/key_expiration_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/key_expiration_not_set/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Key Expiration Not Set", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_key_vault_key", + "resourceName": "generated-certificate", + "searchKey": "azurerm_key_vault_key[positive1]", + "searchValue": "", + "expectedValue": "'expiration_date' should exist", + "actualValue": "'expiration_date' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/key_vault_purge_protection_is_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/key_vault_purge_protection_is_enabled/test/positive_expected_result.json index 97bfb0544c9..c04fe3a9410 100644 --- a/assets/queries/terraform/azure/key_vault_purge_protection_is_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/key_vault_purge_protection_is_enabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Beta - Key Vault Purge Protection Is Enabled", "severity": "HIGH", "line": 8, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_key_vault", + "resourceName": "examplekeyvault", + "searchKey": "azurerm_key_vault[positive1].purge_protection_enabled", + "searchValue": "", + "expectedValue": "'purge_protection_enabled' field should be set to true", + "actualValue": "'purge_protection_enabled' is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Key Vault Purge Protection Is Enabled", "severity": "HIGH", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_key_vault", + "resourceName": "examplekeyvault", + "searchKey": "azurerm_key_vault[positive2]", + "searchValue": "", + "expectedValue": "'purge_protection_enabled' should be defined and set to true", + "actualValue": "'purge_protection_enabled' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/test/positive_expected_result.json b/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/test/positive_expected_result.json index ec725ac34b4..0ebb419b5a1 100644 --- a/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Key Vault Secrets Content Type Undefined", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_key_vault_secret", + "resourceName": "secret-sauce", + "searchKey": "azurerm_key_vault_secret[positive]", + "searchValue": "", + "expectedValue": "'azurerm_key_vault_secret[positive].content_type' should be defined and not null", + "actualValue": "'azurerm_key_vault_secret[positive].content_type' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/key_vault_without_hsm_protection/test/positive_expected_result.json b/assets/queries/terraform/azure/key_vault_without_hsm_protection/test/positive_expected_result.json index 4193e97f2e6..32e166cce46 100644 --- a/assets/queries/terraform/azure/key_vault_without_hsm_protection/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/key_vault_without_hsm_protection/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Beta - Key Vault Without HSM Protection", "severity": "LOW", - "line": 4 + "line": 4, + "filename": "positive.tf", + "resourceType": "azurerm_key_vault_key", + "resourceName": "positive1-certificate", + "searchKey": "azurerm_key_vault_key[positive1].key_type", + "searchValue": "", + "expectedValue": "'azurerm_key_vault_key[positive1].key_type' should be set to an HSM-backed type ('RSA-HSM' or 'EC-HSM')", + "actualValue": "'azurerm_key_vault_key[positive1].key_type' is set to 'RSA'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Key Vault Without HSM Protection", "severity": "LOW", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "azurerm_key_vault_key", + "resourceName": "positive2-certificate", + "searchKey": "azurerm_key_vault_key[positive2].key_type", + "searchValue": "", + "expectedValue": "'azurerm_key_vault_key[positive2].key_type' should be set to an HSM-backed type ('RSA-HSM' or 'EC-HSM')", + "actualValue": "'azurerm_key_vault_key[positive2].key_type' is set to 'EC'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/kubernetes_cluster_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/kubernetes_cluster_managed_identity_disabled/test/positive_expected_result.json index 4fdc0d7828c..4dcacb1c04b 100644 --- a/assets/queries/terraform/azure/kubernetes_cluster_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/kubernetes_cluster_managed_identity_disabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Beta - Kubernetes Cluster Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive]", + "searchValue": "", + "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/log_retention_is_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/log_retention_is_not_set/test/positive_expected_result.json index 96fbc631e30..106193284d7 100644 --- a/assets/queries/terraform/azure/log_retention_is_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/log_retention_is_not_set/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Log Retention Is Not Set", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_retention", + "searchKey": "azurerm_postgresql_configuration[positive1].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "Log Retention Is Not Set", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_retention", + "searchKey": "azurerm_postgresql_configuration[positive2].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "Log Retention Is Not Set", "severity": "MEDIUM", - "line": 19 + "line": 19, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_retention", + "searchKey": "azurerm_postgresql_configuration[positive3].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/logic_app_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/logic_app_managed_identity_disabled/test/positive_expected_result.json index 80f99405d25..c0752d18e93 100644 --- a/assets/queries/terraform/azure/logic_app_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/logic_app_managed_identity_disabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Beta - Logic App Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_logic_app_standard", + "resourceName": "example-logic-app", + "searchKey": "azurerm_logic_app_standard[positive]", + "searchValue": "", + "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/mariadb_public_network_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mariadb_public_network_access_enabled/test/positive_expected_result.json index 0501fb48609..3a0319eba12 100644 --- a/assets/queries/terraform/azure/mariadb_public_network_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mariadb_public_network_access_enabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "MariaDB Server Public Network Access Enabled", "severity": "HIGH", "line": 16, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_mariadb_server", + "resourceName": "example-mariadb-server", + "searchKey": "azurerm_mariadb_server[positive].public_network_access_enabled", + "searchValue": "", + "expectedValue": "'azurerm_mariadb_server[positive].public_network_access_enabled.enabled' should be set to false", + "actualValue": "'azurerm_mariadb_server[positive].public_network_access_enabled.enabled' is not set to false", + "issueType": "IncorrectValue" }, { "queryName": "MariaDB Server Public Network Access Enabled", "severity": "HIGH", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_mariadb_server", + "resourceName": "example-mariadb-server", + "searchKey": "azurerm_mariadb_server[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_mariadb_server[positive2].public_network_access_enabled' should be defined and not null", + "actualValue": "'azurerm_mariadb_server[positive2].public_network_access_enabled' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/test/positive_expected_result.json index 8fd6749c698..a20b74bb6bd 100644 --- a/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "MariaDB Server Geo-redundant Backup Disabled", "severity": "LOW", "line": 15, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_mariadb_server", + "resourceName": "example-mariadb-server", + "searchKey": "azurerm_mariadb_server[positive1].geo_redundant_backup_enabled", + "searchValue": "", + "expectedValue": "'azurerm_mariadb_server[positive1].geo_redundant_backup_enabled' should be set to true", + "actualValue": "'azurerm_mariadb_server[positive1].geo_redundant_backup_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "MariaDB Server Geo-redundant Backup Disabled", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_mariadb_server", + "resourceName": "example-mariadb-server", + "searchKey": "azurerm_mariadb_server[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_mariadb_server[positive2].geo_redundant_backup_enabled' should be defined and set to true", + "actualValue": "'azurerm_mariadb_server[positive2].geo_redundant_backup_enabled' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/mssql_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/mssql_not_using_latest_tls_encryption_version/test/positive_expected_result.json index 73376a87e9c..32b490dfb8b 100644 --- a/assets/queries/terraform/azure/mssql_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mssql_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Beta - MSSQL Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 8, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "example-resource", + "searchKey": "azurerm_mssql_server[positive1].minimum_tls_version", + "searchValue": "", + "expectedValue": "'minimum_tls_version' should be defined to '1.2'", + "actualValue": "'minimum_tls_version' is defined to '1.1'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/positive_expected_result.json index 3a520528db2..f2f8cde8b2a 100644 --- a/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "MSSQL Server Auditing Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_mssql_server[example]", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server[example]' resource should have a 'azurerm_mssql_server_extended_auditing_policy' resource associated", + "actualValue": "'azurerm_mssql_server[example]' resource does not have a 'azurerm_mssql_server_extended_auditing_policy' resource associated", + "issueType": "MissingAttribute" }, { "queryName": "MSSQL Server Auditing Disabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_mssql_server[example]", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server[example]' resource should have a 'azurerm_mssql_server_extended_auditing_policy' resource associated", + "actualValue": "'azurerm_mssql_server[example]' resource does not have a 'azurerm_mssql_server_extended_auditing_policy' resource associated", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/test/positive_expected_result.json index fa15c8d1679..a16adfaa2f5 100644 --- a/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "MSSQL Server Database With Alerts Disabled", "severity": "MEDIUM", "line": 17, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_mssql_server_security_alert_policy", + "resourceName": "positive1", + "searchKey": "azurerm_mssql_server_security_alert_policy[positive1].disabled_alerts", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server_security_alert_policy.positive1.disabled_alerts' should be empty", + "actualValue": "'azurerm_mssql_server_security_alert_policy.positive1.disabled_alerts' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "MSSQL Server Database With Alerts Disabled", "severity": "MEDIUM", "line": 14, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_server_security_alert_policy", + "resourceName": "positive2", + "searchKey": "azurerm_mssql_server_security_alert_policy[positive2].state", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server_security_alert_policy.positive2.state' should be enabled", + "actualValue": "'azurerm_mssql_server_security_alert_policy.positive2.state' is not enabled", + "issueType": "IncorrectValue" }, { "queryName": "MSSQL Server Database With Alerts Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "my-mssql-server", + "searchKey": "azurerm_mssql_server[example]", + "searchValue": "", + "expectedValue": "Security alert policy should be defined and enabled", + "actualValue": "Security alert policy is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/test/positive_expected_result.json index a44857a9524..0756178b902 100644 --- a/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/test/positive_expected_result.json @@ -3,13 +3,26 @@ "queryName": "MSSQL Server Public Network Access Enabled", "severity": "HIGH", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_mssql_server[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server[positive1].public_network_access_enabled' should be defined and not null", + "actualValue": "'azurerm_mssql_server[positive1].public_network_access_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "MSSQL Server Public Network Access Enabled", "severity": "HIGH", "line": 16, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_mssql_server[positive2].public_network_access_enabled", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server[positive2].public_network_access_enabled' should be set to false", + "actualValue": "'azurerm_mssql_server[positive2].public_network_access_enabled' is set to true", + "issueType": "IncorrectValue" } ] - diff --git a/assets/queries/terraform/azure/mysql_server_public_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mysql_server_public_access_enabled/test/positive_expected_result.json index e7f08b088ba..3155fa75f14 100644 --- a/assets/queries/terraform/azure/mysql_server_public_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mysql_server_public_access_enabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "MySQL Server Public Access Enabled", "severity": "HIGH", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "example-mysqlserver", + "searchKey": "azurerm_mysql_server[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_mysql_server[positive1].public_network_access_enabled' should be defined", + "actualValue": "'azurerm_mysql_server[positive1].public_network_access_enabled' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "MySQL Server Public Access Enabled", "severity": "HIGH", "line": 17, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "example-mysqlserver", + "searchKey": "azurerm_mysql_server[positive2].public_network_access_enabled", + "searchValue": "", + "expectedValue": "'azurerm_mysql_server[positive2].public_network_access_enabled' should be set to false", + "actualValue": "'azurerm_mysql_server[positive2].public_network_access_enabled' is set to true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json index 573fae9c01b..c27feed42d6 100644 --- a/assets/queries/terraform/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "MySQL SSL Connection Disabled", "severity": "MEDIUM", - "line": 17 + "line": 17, + "filename": "positive.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "webflux-mysql-${var.environment}${random_integer.rnd_int.result}", + "searchKey": "azurerm_mysql_server[positive1].ssl_enforcement_enabled", + "searchValue": "", + "expectedValue": "'azurerm_mysql_server.positive1.ssl_enforcement_enabled' should equal 'true'", + "actualValue": "'azurerm_mysql_server.positive1.ssl_enforcement_enabled' is equal 'false'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/test/positive_expected_result.json index 5f4588091b6..b807d352786 100644 --- a/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Network Interfaces IP Forwarding Enabled", "severity": "MEDIUM", "line": 12, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_network_interface", + "resourceName": "example-nic", + "searchKey": "azurerm_network_interface[positive].enable_ip_forwarding", + "searchValue": "", + "expectedValue": "'azurerm_network_interface[positive].enable_ip_forwarding' should be set to false or undefined", + "actualValue": "'azurerm_network_interface[positive].enable_ip_forwarding' is set to true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/network_interfaces_with_public_ip/test/positive_expected_result.json b/assets/queries/terraform/azure/network_interfaces_with_public_ip/test/positive_expected_result.json index e0ea3ebc646..3c22ccd471f 100644 --- a/assets/queries/terraform/azure/network_interfaces_with_public_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/network_interfaces_with_public_ip/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Network Interfaces With Public IP", "severity": "MEDIUM", "line": 10, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_network_interface", + "resourceName": "example-nic", + "searchKey": "azurerm_network_interface[positive].ip_configuration.public_ip_address_id", + "searchValue": "", + "expectedValue": "'azurerm_network_interface[positive].ip_configuration.public_ip_address_id' should be undefined", + "actualValue": "'azurerm_network_interface[positive].ip_configuration.public_ip_address_id' is defined", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/network_watcher_flow_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/network_watcher_flow_disabled/test/positive_expected_result.json index b287a8f30d5..524de8d4743 100644 --- a/assets/queries/terraform/azure/network_watcher_flow_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/network_watcher_flow_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Network Watcher Flow Disabled", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "azurerm_network_watcher_flow_log", + "resourceName": "positive1", + "searchKey": "azurerm_network_watcher_flow_log[positive1].enable", + "searchValue": "", + "expectedValue": "azurerm_network_watcher_flow_log.enabled should be true", + "actualValue": "azurerm_network_watcher_flow_log.enabled is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json index b35ff583b46..b20bf51dff6 100644 --- a/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_checkpoints", + "searchKey": "azurerm_postgresql_configuration[positive1].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_checkpoints", + "searchKey": "azurerm_postgresql_configuration[positive2].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 19 + "line": 19, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_checkpoints", + "searchKey": "azurerm_postgresql_configuration[positive3].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/postgresql_log_connections_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_log_connections_not_set/test/positive_expected_result.json index abd85e253b5..82acb9e3778 100644 --- a/assets/queries/terraform/azure/postgresql_log_connections_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_log_connections_not_set/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_connections", + "searchKey": "azurerm_postgresql_configuration[positive1].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_connections", + "searchKey": "azurerm_postgresql_configuration[positive2].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 19 + "line": 19, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_connections", + "searchKey": "azurerm_postgresql_configuration[positive3].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json index 067ff6d8970..12f17c55ca6 100644 --- a/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_disconnections", + "searchKey": "azurerm_postgresql_configuration[positive1].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_disconnections", + "searchKey": "azurerm_postgresql_configuration[positive2].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 19 + "line": 19, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_disconnections", + "searchKey": "azurerm_postgresql_configuration[positive3].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/postgresql_log_duration_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_log_duration_not_set/test/positive_expected_result.json index 3863748c49d..4f0d718b715 100644 --- a/assets/queries/terraform/azure/postgresql_log_duration_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_log_duration_not_set/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_duration", + "searchKey": "azurerm_postgresql_configuration[positive1].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_duration", + "searchKey": "azurerm_postgresql_configuration[positive2].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 20 + "line": 20, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_duration", + "searchKey": "azurerm_postgresql_configuration[positive3].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/postgresql_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_not_using_latest_tls_encryption_version/test/positive_expected_result.json index f316f34f23f..f8d4156e16a 100644 --- a/assets/queries/terraform/azure/postgresql_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Beta - PostgreSQL Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 10, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "example-psqlserver", + "searchKey": "azurerm_postgresql_server[negative2].minimum_tls_version", + "searchValue": "", + "expectedValue": "'ssl_minimal_tls_version_enforced' should be defined to 'TLS1_2'", + "actualValue": "'ssl_minimal_tls_version_enforced' is defined to 'TLS1_1'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/test/positive_expected_result.json index ad6c13e0928..7259aa1e8c5 100644 --- a/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "PostgreSQL Server Infrastructure Encryption Disabled", "severity": "LOW", "line": 21, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "example-psqlserver", + "searchKey": "azurerm_postgresql_server[positive1].infrastructure_encryption_enabled", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server[positive1].infrastructure_encryption_enabled' should be set to true", + "actualValue": "'azurerm_postgresql_server[positive1].infrastructure_encryption_enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Server Infrastructure Encryption Disabled", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "example-psqlserver", + "searchKey": "azurerm_postgresql_server[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server[positive2].infrastructure_encryption_enabled' should be defined and set to true", + "actualValue": "'azurerm_postgresql_server[positive2].infrastructure_encryption_enabled' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/test/positive_expected_result.json index 14af965003f..ec286844ce8 100644 --- a/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "PostgreSQL Server Threat Detection Policy Disabled", "severity": "MEDIUM", "line": 22, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "example-psqlserver", + "searchKey": "azurerm_postgresql_server[positive1].threat_detection_policy.enabled", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server[positive1].threat_detection_policy.enabled' should be set to true", + "actualValue": "'azurerm_postgresql_server[positive1].threat_detection_policy.enabled' is set to false", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Server Threat Detection Policy Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "example-psqlserver", + "searchKey": "azurerm_postgresql_server[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server[positive2].threat_detection_policy' is a defined object", + "actualValue": "'azurerm_postgresql_server[positive2].threat_detection_policy' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json index 943c8a24cdc..5c18dcbbf77 100644 --- a/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "connection_throttling", + "searchKey": "azurerm_postgresql_configuration[positive1].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "connection_throttling", + "searchKey": "azurerm_postgresql_configuration[positive2].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'", + "issueType": "IncorrectValue" }, { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 19 + "line": 19, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "connection_throttling", + "searchKey": "azurerm_postgresql_configuration[positive3].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/public_storage_account/test/positive_expected_result.json b/assets/queries/terraform/azure/public_storage_account/test/positive_expected_result.json index ea162bbcc22..049cd15757d 100644 --- a/assets/queries/terraform/azure/public_storage_account/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/public_storage_account/test/positive_expected_result.json @@ -1,32 +1,67 @@ [ - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 11, - "fileName": "positive1.tf" - }, - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 28, - "fileName": "positive1.tf" - }, - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 43, - "fileName": "positive1.tf" - }, - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 48, - "fileName": "positive1.tf" - }, - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 8, - "fileName": "positive2.tf" - } + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 11, + "filename": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive1].network_rules.ip_rules", + "searchValue": "", + "expectedValue": "'network_rules.ip_rules' should not contain 0.0.0.0/0", + "actualValue": "'network_rules.ip_rules' contains 0.0.0.0/0", + "issueType": "IncorrectValue" + }, + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 28, + "filename": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive2].network_rules", + "searchValue": "", + "expectedValue": "'network_rules.ip_rules' should be defined and not null", + "actualValue": "'network_rules.default_action' is 'Allow' and 'network_rules.ip_rules' is undefined or null", + "issueType": "MissingAttribute" + }, + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 43, + "filename": "positive1.tf", + "resourceType": "azurerm_storage_account_network_rules", + "resourceName": "positive3", + "searchKey": "azurerm_storage_account_network_rules[positive3].ip_rules", + "searchValue": "", + "expectedValue": "ip_rules[0] should not contain 0.0.0.0/0", + "actualValue": "ip_rules[0] contains 0.0.0.0/0", + "issueType": "IncorrectValue" + }, + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 48, + "filename": "positive1.tf", + "resourceType": "azurerm_storage_account_network_rules", + "resourceName": "positive4", + "searchKey": "azurerm_storage_account_network_rules[positive4]", + "searchValue": "", + "expectedValue": "'ip_rules' should be defined and not null", + "actualValue": "'default_action' is set to 'Allow' and 'ip_rules' is undefined or null", + "issueType": "MissingAttribute" + }, + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 8, + "filename": "positive2.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive5].allow_blob_public_access", + "searchValue": "", + "expectedValue": "'allow_blob_public_access' should be set to false or undefined", + "actualValue": "'allow_blob_public_access' is set to true", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/test/positive_expected_result.json b/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/test/positive_expected_result.json index ebd333666de..c6f55480aaa 100644 --- a/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/test/positive_expected_result.json @@ -1,102 +1,262 @@ [ - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 8 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 22 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 36 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 50 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 64 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 78 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 92 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 106 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 120 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 134 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 153 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 165 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 177 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 189 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 201 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 213 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 225 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 237 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 249 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 261 - } -] \ No newline at end of file + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 8, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive1.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive1.destination_port_range' might be 3389", + "issueType": "IncorrectValue" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive2.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive2.destination_port_range' might be 3389", + "issueType": "IncorrectValue" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive3.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive3.destination_port_range' might be 3389", + "issueType": "IncorrectValue" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 50, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive4.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive4.destination_port_range' might be 3389", + "issueType": "IncorrectValue" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 64, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive5.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive5.destination_port_range' might be 3389", + "issueType": "IncorrectValue" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 78, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive6.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive6.destination_port_range' might be 3389", + "issueType": "IncorrectValue" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive7.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive7.destination_port_range' might be 3389", + "issueType": "IncorrectValue" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 106, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive8.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive8.destination_port_range' might be 3389", + "issueType": "IncorrectValue" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 120, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive9.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive9.destination_port_range' might be 3389", + "issueType": "IncorrectValue" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive10.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive10.destination_port_range' might be 3389", + "issueType": "IncorrectValue" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 153, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive11", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive11}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 165, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive12", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive12}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 177, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive13", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive13}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 189, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive14", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive14}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 201, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive15", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive15}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 213, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive16", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive16}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 225, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive17", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive17}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 237, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive18", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive18}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 249, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive19", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive19}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue" + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 261, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive20", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive20}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue" + } +] diff --git a/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json b/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json index e36c55b3819..2fc56212a8f 100644 --- a/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Beta - Recovery Services Vault With Public Network Access", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_recovery_services_vault", + "resourceName": "positive1-recovery-vault", + "searchKey": "azurerm_recovery_services_vault[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_recovery_services_vault[positive1].public_network_access_enabled' should be defined and set to false", + "actualValue": "'azurerm_recovery_services_vault[positive1].public_network_access_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Recovery Services Vault With Public Network Access", "severity": "HIGH", - "line": 16 + "line": 16, + "filename": "positive.tf", + "resourceType": "azurerm_recovery_services_vault", + "resourceName": "positive2-recovery-vault", + "searchKey": "azurerm_recovery_services_vault[positive2].public_network_access_enabled", + "searchValue": "", + "expectedValue": "'azurerm_recovery_services_vault[positive2].public_network_access_enabled' should be defined and set to false", + "actualValue": "'azurerm_recovery_services_vault[positive2].public_network_access_enabled' is set to true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json b/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json index 3a18b5b238f..7d61eebbf89 100644 --- a/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Beta - Recovery Services Vault Without Immutability", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_recovery_services_vault", + "resourceName": "positive1-recovery-vault", + "searchKey": "azurerm_recovery_services_vault[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_recovery_services_vault[positive1].immutability' should be set and enabled", + "actualValue": "'azurerm_recovery_services_vault[positive1].immutability' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Recovery Services Vault Without Immutability", "severity": "HIGH", - "line": 16 + "line": 16, + "filename": "positive.tf", + "resourceType": "azurerm_recovery_services_vault", + "resourceName": "positive2-recovery-vault", + "searchKey": "azurerm_recovery_services_vault[positive2].immutability", + "searchValue": "", + "expectedValue": "'azurerm_recovery_services_vault[positive2].immutability' should be set and enabled", + "actualValue": "'azurerm_recovery_services_vault[positive2].immutability' is set to 'Disabled'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive_expected_result.json index e5d1b57eeb7..9a1c5136961 100644 --- a/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Beta - Recovery Services Vault Without Soft Delete", "severity": "HIGH", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "azurerm_recovery_services_vault", + "resourceName": "positive-recovery-vault", + "searchKey": "azurerm_recovery_services_vault[positive].soft_delete_enabled", + "searchValue": "", + "expectedValue": "'azurerm_recovery_services_vault[positive].soft_delete_enabled' should not be set to false", + "actualValue": "'azurerm_recovery_services_vault[positive].soft_delete_enabled' is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json index c06ca607b78..6d16a5bbc9e 100644 --- a/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "Redis Cache Allows Non SSL Connections", - "severity": "MEDIUM", - "line": 8 - } + { + "queryName": "Redis Cache Allows Non SSL Connections", + "severity": "MEDIUM", + "line": 8, + "filename": "positive.tf", + "resourceType": "azurerm_redis_cache", + "resourceName": "example-cache", + "searchKey": "azurerm_redis_cache[positive1].enable_non_ssl_port", + "searchValue": "", + "expectedValue": "'azurerm_redis_cache[positive1].enable_non_ssl_port' should be set to false or undefined (false as default)", + "actualValue": "'azurerm_redis_cache[positive1].enable_non_ssl_port' is true", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/test/positive_expected_result.json index 1aacb551ed4..3026c335fe2 100644 --- a/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Beta - Redis Cache Managed Identity Is Not Set To System Assigned", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_redis_cache", + "resourceName": "example-cache-positive1", + "searchKey": "azurerm_redis_cache[positive1]", + "searchValue": "", + "expectedValue": "'identity' block should have 'SystemAssigned' defined on 'type' field", + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Redis Cache Managed Identity Is Not Set To System Assigned", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_redis_cache", + "resourceName": "example-cache-negative2", + "searchKey": "azurerm_redis_cache[positive2]", + "searchValue": "", + "expectedValue": "'identity' block should have 'SystemAssigned' defined on 'type' field", + "actualValue": "'identity' block does not have 'SystemAssigned' defined on 'type' field", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/redis_cache_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_cache_not_using_latest_tls_encryption_version/test/positive_expected_result.json index 3d4cbf732c2..4e4b5d8f631 100644 --- a/assets/queries/terraform/azure/redis_cache_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_cache_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Beta - Redis Cache Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_redis_cache", + "resourceName": "example-cache", + "searchKey": "azurerm_redis_cache[positive1].minimum_tls_version", + "searchValue": "", + "expectedValue": "'minimum_tls_version' should be defined and set to '1.2'", + "actualValue": "'minimum_tls_version' is defined to '1.1'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Redis Cache Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_redis_cache", + "resourceName": "example-cache", + "searchKey": "azurerm_redis_cache[positive2]", + "searchValue": "", + "expectedValue": "'minimum_tls_version' should be defined and set to '1.2'", + "actualValue": "'minimum_tls_version' is not defined", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/redis_entirely_accessible/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_entirely_accessible/test/positive_expected_result.json index 102713534e5..81761fbb02e 100644 --- a/assets/queries/terraform/azure/redis_entirely_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_entirely_accessible/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Redis Entirely Accessible", "severity": "CRITICAL", - "line": 22 + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_redis_firewall_rule", + "resourceName": "someIPrange", + "searchKey": "azurerm_redis_firewall_rule[positive2].start_ip", + "searchValue": "", + "expectedValue": "'azurerm_redis_firewall_rule[positive2]' start_ip and end_ip should not equal to '0.0.0.0'", + "actualValue": "'azurerm_redis_firewall_rule[positive2]' start_ip and end_ip are equal to '0.0.0.0'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/redis_not_updated_regularly/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_not_updated_regularly/test/positive_expected_result.json index 01189c2c454..60850407fbb 100644 --- a/assets/queries/terraform/azure/redis_not_updated_regularly/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_not_updated_regularly/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Redis Not Updated Regularly", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_redis_cache", + "resourceName": "timeout-redis", + "searchKey": "azurerm_redis_cache[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_redis_cache[positive1].patch_schedule' should be defined and not null", + "actualValue": "'azurerm_redis_cache[positive1].patch_schedule' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/redis_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_publicly_accessible/test/positive_expected_result.json index 9786674c7d7..a94b32362c2 100644 --- a/assets/queries/terraform/azure/redis_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_publicly_accessible/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Redis Publicly Accessible", "severity": "CRITICAL", - "line": 22 + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_redis_firewall_rule", + "resourceName": "someIPrange", + "searchKey": "azurerm_redis_firewall_rule[positive2].start_ip", + "searchValue": "", + "expectedValue": "'azurerm_redis_firewall_rule[positive2]' ip range should be private", + "actualValue": "'azurerm_redis_firewall_rule[positive2]' ip range is not private", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/resource_without_diagnostic_settings/test/positive_expected_result.json b/assets/queries/terraform/azure/resource_without_diagnostic_settings/test/positive_expected_result.json index 4df38e6a9f5..ba09c8ea710 100644 --- a/assets/queries/terraform/azure/resource_without_diagnostic_settings/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/resource_without_diagnostic_settings/test/positive_expected_result.json @@ -3,156 +3,338 @@ "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_subscription", + "resourceName": "positive1_1", + "searchKey": "azurerm_subscription[positive1_1]", + "searchValue": "", + "expectedValue": "'azurerm_subscription[positive1_1]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_subscription[positive1_1]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 5, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_subscription", + "resourceName": "positive1_2", + "searchKey": "azurerm_subscription[positive1_2]", + "searchValue": "", + "expectedValue": "'azurerm_subscription[positive1_2]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_subscription[positive1_2]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_key_vault", + "resourceName": "example-keyvault", + "searchKey": "azurerm_key_vault[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_key_vault[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_key_vault[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 9, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_application_gateway", + "resourceName": "example-appgateway", + "searchKey": "azurerm_application_gateway[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_application_gateway[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_application_gateway[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 15, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_firewall", + "resourceName": "testfirewall", + "searchKey": "azurerm_firewall[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_firewall[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_firewall[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 23, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_lb", + "resourceName": "TestLoadBalancer", + "searchKey": "azurerm_lb[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_lb[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_lb[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 29, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_public_ip", + "resourceName": "acceptanceTestPublicIp1", + "searchKey": "azurerm_public_ip[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_public_ip[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_public_ip[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 36, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_frontdoor", + "resourceName": "example-FrontDoor", + "searchKey": "azurerm_frontdoor[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_frontdoor[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_frontdoor[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 41, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_cdn_frontdoor_profile", + "resourceName": "example-cdn-profile", + "searchKey": "azurerm_cdn_frontdoor_profile[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_cdn_frontdoor_profile[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_cdn_frontdoor_profile[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 48, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_cdn_frontdoor_endpoint", + "resourceName": "example-endpoint", + "searchKey": "azurerm_cdn_frontdoor_endpoint[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_cdn_frontdoor_endpoint[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_cdn_frontdoor_endpoint[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 53, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_cdn_profile", + "resourceName": "exampleCdnProfile", + "searchKey": "azurerm_cdn_profile[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_cdn_profile[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_cdn_profile[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 60, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_cdn_endpoint", + "resourceName": "pos_example", + "searchKey": "azurerm_cdn_endpoint[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_cdn_endpoint[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_cdn_endpoint[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 67, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_storage_account[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 75, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_mssql_server[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_mssql_server[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 85, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_managed_instance", + "resourceName": "managedsqlinstance", + "searchKey": "azurerm_mssql_managed_instance[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_mssql_managed_instance[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_mssql_managed_instance[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 91, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_database", + "resourceName": "example-db", + "searchKey": "azurerm_mssql_database[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_mssql_database[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_mssql_database[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 101, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_cosmosdb_account", + "resourceName": "tfex-cosmos-db-${random_integer.ri.result}", + "searchKey": "azurerm_cosmosdb_account[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_cosmosdb_account[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_cosmosdb_account[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 109, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "pos_example", + "searchKey": "azurerm_linux_web_app[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_linux_web_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 118, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "pos_example", + "searchKey": "azurerm_windows_web_app[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_windows_web_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 127, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "example-linux-function-app", + "searchKey": "azurerm_linux_function_app[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_linux_function_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 139, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "example-windows-function-app", + "searchKey": "azurerm_windows_function_app[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_windows_function_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 151, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_kubernetes_cluster[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 158, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_eventhub_namespace", + "resourceName": "example-namespace", + "searchKey": "azurerm_eventhub_namespace[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_eventhub_namespace[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_eventhub_namespace[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 166, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_servicebus_namespace", + "resourceName": "tfex-servicebus-namespace", + "searchKey": "azurerm_servicebus_namespace[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_servicebus_namespace[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_servicebus_namespace[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 173, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_container_registry", + "resourceName": "containerRegistry1", + "searchKey": "azurerm_container_registry[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_container_registry[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_container_registry[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 181, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_api_management", + "resourceName": "example-apim", + "searchKey": "azurerm_api_management[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_api_management[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_api_management[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/test/positive_expected_result.json b/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/test/positive_expected_result.json index f1c73a909a0..e7ce302849e 100644 --- a/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Role Assignment Not Limit Guest User Permissions", "severity": "MEDIUM", - "line": 20 + "line": 20, + "filename": "positive.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "00000000-0000-0000-0000-000000000000", + "searchKey": "azurerm_role_assignment[example].role_definition_id", + "searchValue": "", + "expectedValue": "azurerm_role_assignment[example].role_definition_id limits guest user permissions", + "actualValue": "azurerm_role_assignment[example].role_definition_id does not limit guest user permissions", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json b/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json index 023084640e8..d8f73a2a4eb 100644 --- a/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Role Definition Allows Custom Role Creation", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_role_definition", + "resourceName": "my-custom-role-definition", + "searchKey": "azurerm_role_definition[example2].permissions.actions", + "searchValue": "", + "expectedValue": "azurerm_role_definition[example2].permissions.actions should not allow custom role creation", + "actualValue": "azurerm_role_definition[example2].permissions.actions allows custom role creation", + "issueType": "IncorrectValue" }, { "queryName": "Role Definition Allows Custom Role Creation", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_role_definition", + "resourceName": "my-custom-role", + "searchKey": "azurerm_role_definition[example].permissions.actions", + "searchValue": "", + "expectedValue": "azurerm_role_definition[example].permissions.actions should not allow custom role creation", + "actualValue": "azurerm_role_definition[example].permissions.actions allows custom role creation", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/secret_expiration_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/secret_expiration_not_set/test/positive_expected_result.json index cfc5b5902ae..5e85dc650ca 100644 --- a/assets/queries/terraform/azure/secret_expiration_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/secret_expiration_not_set/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Secret Expiration Not Set", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_key_vault_secret", + "resourceName": "secret-sauce", + "searchKey": "azurerm_key_vault_secret[positive1]", + "searchValue": "", + "expectedValue": "'expiration_date' should exist", + "actualValue": "'expiration_date' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/test/positive_expected_result.json b/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/test/positive_expected_result.json index d3bb1c8c36f..0e0ccd61505 100644 --- a/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Security Center Pricing Tier Is Not Standard", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.tf", + "resourceType": "azurerm_security_center_subscription_pricing", + "resourceName": "positive1", + "searchKey": "azurerm_security_center_subscription_pricing[positive1].tier", + "searchValue": "", + "expectedValue": "'azurerm_security_center_subscription_pricing.positive1.tier' is 'Standard'", + "actualValue": "'azurerm_security_center_subscription_pricing.positive1.tier' is 'Free'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/security_contact_email/test/positive_expected_result.json b/assets/queries/terraform/azure/security_contact_email/test/positive_expected_result.json index 69e048d540b..43c152e4301 100644 --- a/assets/queries/terraform/azure/security_contact_email/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/security_contact_email/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Security Contact Email", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_security_center_contact", + "resourceName": "positive", + "searchKey": "azurerm_security_center_contact[positive]", + "searchValue": "", + "expectedValue": "'azurerm_security_center_contact[positive].email' should be defined and not null", + "actualValue": "'azurerm_security_center_contact[positive].email' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/security_group_is_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/security_group_is_not_configured/test/positive_expected_result.json index ed4b49e11b4..80a2286cc82 100644 --- a/assets/queries/terraform/azure/security_group_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/security_group_is_not_configured/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "azure_virtual_network", + "resourceName": "test-network", + "searchKey": "azure_virtual_network[positive1].subnet", + "searchValue": "", + "expectedValue": "'azure_virtual_network[positive1].subnet.security_group' should be defined and not null", + "actualValue": "'azure_virtual_network[positive1].subnet.security_group' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 21 + "line": 21, + "filename": "positive.tf", + "resourceType": "azure_virtual_network", + "resourceName": "test-network", + "searchKey": "azure_virtual_network[positive2].subnet.security_group", + "searchValue": "", + "expectedValue": "'azure_virtual_network[positive2].subnet.security_group' should not be empty", + "actualValue": "'azure_virtual_network[positive2].subnet.security_group' is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index 15e0b4e60c0..10142964e78 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -2,221 +2,573 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", + "searchValue": "UDP,61621", + "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", + "actualValue": "Cassandra OpsCenter (UDP61621) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22 + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22 + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 50 + "line": 50, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 50 + "line": 50, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 64 + "line": 64, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 78 + "line": 78, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 92 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 92 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 92 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 92 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 106 + "line": 106, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 120 + "line": 120, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 120 + "line": 120, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP80) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP138) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP20) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP137) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP20) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP135) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP138) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP80) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP135) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP137) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP139) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP139) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json index 896720bbcf2..86acfa28b0a 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json @@ -2,221 +2,573 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", + "searchValue": "UDP,61621", + "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", + "actualValue": "Cassandra OpsCenter (UDP:61621) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 22 + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 22 + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 50 + "line": 50, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 50 + "line": 50, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 64 + "line": 64, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 78 + "line": 78, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 92 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 92 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 92 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 92 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 106 + "line": 106, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 120 + "line": 120, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 120 + "line": 120, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP:135) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP:80) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP:20) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP:20) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP:80) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP:135) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP:53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP:110) is allowed", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json index 39b9174ff5a..a74e5c24baf 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json @@ -2,221 +2,573 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", + "searchValue": "UDP:61621", + "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", + "actualValue": "Cassandra OpsCenter (UDP:61621) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 22 + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 22 + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP:22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP:21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 50 + "line": 50, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 50 + "line": 50, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 64 + "line": 64, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 78 + "line": 78, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 92 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP:25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 92 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP:22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 92 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 92 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 106 + "line": 106, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 120 + "line": 120, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 120 + "line": 120, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP:80) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP:20) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP:135) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP:110) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP:80) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP:20) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP:53) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP:135) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed", + "issueType": "IncorrectValue" }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json b/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json index 2781952c731..a499967b128 100644 --- a/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json @@ -3,84 +3,182 @@ "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "positive1_1-app-service", + "searchKey": "azurerm_app_service[positive1_1]", + "searchValue": "", + "expectedValue": "'azurerm_app_service' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_app_service' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "positive1_2", + "searchKey": "azurerm_windows_web_app[positive1_2]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_windows_web_app' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 17, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "positive1_3", + "searchKey": "azurerm_linux_web_app[positive1_3]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_linux_web_app' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 26, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_batch_account", + "resourceName": "testbatchaccount", + "searchKey": "azurerm_batch_account[positive1_4]", + "searchValue": "", + "expectedValue": "'azurerm_batch_account' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_batch_account' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 35, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_eventhub", + "resourceName": "acceptanceTestEventHub", + "searchKey": "azurerm_eventhub[positive1_5]", + "searchValue": "", + "expectedValue": "'azurerm_eventhub' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_eventhub' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 42, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive1_6]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_storage_account' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 55, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_iothub", + "resourceName": "positive1_7-IoTHub", + "searchKey": "azurerm_iothub[positive1_7]", + "searchValue": "", + "expectedValue": "'azurerm_iothub' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_iothub' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 66, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_search_service", + "resourceName": "positive1_8-resource", + "searchKey": "azurerm_search_service[positive1_8]", + "searchValue": "", + "expectedValue": "'azurerm_search_service' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_search_service' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 73, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_servicebus_namespace", + "resourceName": "tfex-servicebus-namespace", + "searchKey": "azurerm_servicebus_namespace[positive1_9]", + "searchValue": "", + "expectedValue": "'azurerm_servicebus_namespace' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_servicebus_namespace' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 80, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_stream_analytics_job", + "resourceName": "positive1_10-job", + "searchKey": "azurerm_stream_analytics_job[positive1_10]", + "searchValue": "", + "expectedValue": "'azurerm_stream_analytics_job' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_stream_analytics_job' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 87, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_application_gateway", + "resourceName": "positive1_11-appgateway", + "searchKey": "azurerm_application_gateway[positive1_11]", + "searchValue": "", + "expectedValue": "'azurerm_application_gateway' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_application_gateway' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 99, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_logic_app_standard", + "resourceName": "positive1_12-logic-app", + "searchKey": "azurerm_logic_app_standard[positive1_12]", + "searchValue": "", + "expectedValue": "'azurerm_logic_app_standard' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_logic_app_standard' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_data_lake_analytics_account", + "resourceName": "${var.name}", + "searchKey": "azurerm_data_lake_analytics_account[positive2_1]", + "searchValue": "", + "expectedValue": "'azurerm_data_lake_analytics_account' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_data_lake_analytics_account' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_data_lake_store", + "resourceName": "consumptiondatalake", + "searchKey": "azurerm_data_lake_store[positive2_2]", + "searchValue": "", + "expectedValue": "'azurerm_data_lake_store' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_data_lake_store' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/small_activity_log_retention_period/test/positive_expected_result.json b/assets/queries/terraform/azure/small_activity_log_retention_period/test/positive_expected_result.json index 25015f4c442..215fdf67561 100644 --- a/assets/queries/terraform/azure/small_activity_log_retention_period/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_activity_log_retention_period/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Small Activity Log Retention Period", "severity": "LOW", - "line": 20 + "line": 20, + "filename": "positive.tf", + "resourceType": "azurerm_monitor_log_profile", + "resourceName": "default", + "searchKey": "azurerm_monitor_log_profile[positive1].retention_policy.days", + "searchValue": "", + "expectedValue": "'azurerm_monitor_log_profile[positive1].retention_policy.days' should be greater than or equal to 365 days or 0 (indefinitely)", + "actualValue": "'azurerm_monitor_log_profile[positive1].retention_policy.days' is less than 365 days or different than 0 (indefinitely)", + "issueType": "IncorrectValue" }, { "queryName": "Small Activity Log Retention Period", "severity": "LOW", - "line": 41 + "line": 41, + "filename": "positive.tf", + "resourceType": "azurerm_monitor_log_profile", + "resourceName": "default", + "searchKey": "azurerm_monitor_log_profile[positive2].retention_policy", + "searchValue": "", + "expectedValue": "'azurerm_monitor_log_profile[positive2].retention_policy.days' should be defined and not null", + "actualValue": "'azurerm_monitor_log_profile[positive2].retention_policy.days' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Small Activity Log Retention Period", "severity": "LOW", - "line": 64 + "line": 64, + "filename": "positive.tf", + "resourceType": "azurerm_monitor_log_profile", + "resourceName": "default", + "searchKey": "azurerm_monitor_log_profile[positive3].retention_policy.enabled", + "searchValue": "", + "expectedValue": "'azurerm_monitor_log_profile[positive3].retention_policy.enabled' should be set to true", + "actualValue": "'azurerm_monitor_log_profile[positive3].retention_policy.enabled' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/small_flow_logs_retention_period/test/positive_expected_result.json b/assets/queries/terraform/azure/small_flow_logs_retention_period/test/positive_expected_result.json index 357ca0c6436..3e49e0281e7 100644 --- a/assets/queries/terraform/azure/small_flow_logs_retention_period/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_flow_logs_retention_period/test/positive_expected_result.json @@ -2,21 +2,53 @@ { "queryName": "Small Flow Logs Retention Period", "severity": "MEDIUM", - "line": 10 + "line": 10, + "filename": "positive.tf", + "resourceType": "azurerm_network_watcher_flow_log", + "resourceName": "positive1", + "searchKey": "azurerm_network_watcher_flow_log[positive1].retention_policy.days", + "searchValue": "", + "expectedValue": "'positive1.retention_policy.days' should be bigger than 90)", + "actualValue": "'retention_policy.days' is less than 90 [89])", + "issueType": "IncorrectValue" }, { "queryName": "Small Flow Logs Retention Period", "severity": "MEDIUM", - "line": 23 + "line": 23, + "filename": "positive.tf", + "resourceType": "azurerm_network_watcher_flow_log", + "resourceName": "positive2", + "searchKey": "azurerm_network_watcher_flow_log[positive2].retention_policy.days", + "searchValue": "", + "expectedValue": "'positive2.retention_policy.days' should be bigger than 90)", + "actualValue": "'retention_policy.days' is less than 90 [3])", + "issueType": "IncorrectValue" }, { "queryName": "Small Flow Logs Retention Period", "severity": "MEDIUM", - "line": 27 + "line": 27, + "filename": "positive.tf", + "resourceType": "azurerm_network_watcher_flow_log", + "resourceName": "positive3", + "searchKey": "azurerm_network_watcher_flow_log[positive3]", + "searchValue": "", + "expectedValue": "'positive3.retention_policy' should exist)", + "actualValue": "'positive3.retention_policy' doesn't exist)", + "issueType": "MissingAttribute" }, { "queryName": "Small Flow Logs Retention Period", "severity": "MEDIUM", - "line": 43 + "line": 43, + "filename": "positive.tf", + "resourceType": "azurerm_network_watcher_flow_log", + "resourceName": "positive4", + "searchKey": "azurerm_network_watcher_flow_log[positive4].retention_policy.enabled", + "searchValue": "", + "expectedValue": "'positive4.retention_policy' should be enabled)", + "actualValue": "'positive4.retention_policy' is disabled)", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/small_msql_server_audit_retention/test/positive_expected_result.json b/assets/queries/terraform/azure/small_msql_server_audit_retention/test/positive_expected_result.json index 904c4f524c5..f73a0eac754 100644 --- a/assets/queries/terraform/azure/small_msql_server_audit_retention/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_msql_server_audit_retention/test/positive_expected_result.json @@ -2,21 +2,53 @@ { "queryName": "Small MSSQL Server Audit Retention", "severity": "LOW", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "azurerm_sql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_sql_database[positive1].extended_auditing_policy", + "searchValue": "", + "expectedValue": "extended_auditing_policy.retention_in_days should be defined and bigger than 90", + "actualValue": "extended_auditing_policy.retention_in_days is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Small MSSQL Server Audit Retention", "severity": "LOW", - "line": 28 + "line": 28, + "filename": "positive.tf", + "resourceType": "azurerm_sql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_sql_database[positive2].extended_auditing_policy.retention_in_days", + "searchValue": "", + "expectedValue": "'positive2.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 90", + "issueType": "MissingAttribute" }, { "queryName": "Small MSSQL Server Audit Retention", "severity": "LOW", - "line": 46 + "line": 46, + "filename": "positive.tf", + "resourceType": "azurerm_sql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_sql_database[positive3].extended_auditing_policy.retention_in_days", + "searchValue": "", + "expectedValue": "'positive3.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 0", + "issueType": "MissingAttribute" }, { "queryName": "Small MSSQL Server Audit Retention", "severity": "LOW", - "line": 66 + "line": 66, + "filename": "positive.tf", + "resourceType": "azurerm_sql_server", + "resourceName": "sqlserver", + "searchKey": "azurerm_sql_server[positive4].extended_auditing_policy.retention_in_days", + "searchValue": "", + "expectedValue": "'positive4.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 20", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/small_mssql_audit_retention_period/test/positive_expected_result.json b/assets/queries/terraform/azure/small_mssql_audit_retention_period/test/positive_expected_result.json index ac111615ad6..f2fe0fe6a13 100644 --- a/assets/queries/terraform/azure/small_mssql_audit_retention_period/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_mssql_audit_retention_period/test/positive_expected_result.json @@ -2,21 +2,53 @@ { "queryName": "Small MSSQL Audit Retention Period", "severity": "LOW", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "azurerm_mssql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_mssql_database[positive1].extended_auditing_policy.retention_in_days", + "searchValue": "", + "expectedValue": "'positive1.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 6", + "issueType": "IncorrectValue" }, { "queryName": "Small MSSQL Audit Retention Period", "severity": "LOW", - "line": 29 + "line": 29, + "filename": "positive.tf", + "resourceType": "azurerm_mssql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_mssql_database[positive2].extended_auditing_policy.retention_in_days", + "searchValue": "", + "expectedValue": "'positive2.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 90", + "issueType": "IncorrectValue" }, { "queryName": "Small MSSQL Audit Retention Period", "severity": "LOW", - "line": 47 + "line": 47, + "filename": "positive.tf", + "resourceType": "azurerm_mssql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_mssql_database[positive3].extended_auditing_policy.retention_in_days", + "searchValue": "", + "expectedValue": "'positive3.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 0", + "issueType": "IncorrectValue" }, { "queryName": "Small MSSQL Audit Retention Period", "severity": "LOW", - "line": 67 + "line": 67, + "filename": "positive.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_mssql_server[positive4].extended_auditing_policy.retention_in_days", + "searchValue": "", + "expectedValue": "'positive4.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 20", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/test/positive_expected_result.json b/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/test/positive_expected_result.json index 5bf802a4381..2bc35c7c8d9 100644 --- a/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Small PostgreSQL DB Server Log Retention Period", "severity": "LOW", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_retention_days", + "searchKey": "azurerm_postgresql_configuration[positive1].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration[positive1].value' is greater than 3 and less than 8", + "actualValue": "'azurerm_postgresql_configuration[positive1].value' is %!s(int=2)", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/sql_database_audit_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_database_audit_disabled/test/positive_expected_result.json index f29978bdc55..7e1d38fbe80 100644 --- a/assets/queries/terraform/azure/sql_database_audit_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_database_audit_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "SQL Database Audit Disabled", "severity": "MEDIUM", - "line": 50 + "line": 34, + "filename": "positive.tf", + "resourceType": "azurerm_sql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_sql_database[positive4].threat_detection_policy.state", + "searchValue": "", + "expectedValue": "'threat_detection_policy.state' equal 'Enabled'", + "actualValue": "'threat_detection_policy.state' equal 'Disabled'", + "issueType": "IncorrectValue" }, { "queryName": "SQL Database Audit Disabled", "severity": "MEDIUM", - "line": 34 + "line": 50, + "filename": "positive.tf", + "resourceType": "azurerm_sql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_sql_database[positive5].threat_detection_policy", + "searchValue": "", + "expectedValue": "'threat_detection_policy' should exist", + "actualValue": "'threat_detection_policy' is missing", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive_expected_result.json index 93f9af90d07..7bc9cf24a45 100644 --- a/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Beta - SQL Database Without Data Encryption", "severity": "HIGH", - "line": 12 + "line": 12, + "filename": "positive.tf", + "resourceType": "azurerm_mssql_database", + "resourceName": "example-db", + "searchKey": "azurerm_mssql_database[example].transparent_data_encryption_enabled", + "searchValue": "", + "expectedValue": "'azurerm_mssql_database[example].transparent_data_encryption_enabled' should be set to 'true'", + "actualValue": "'azurerm_mssql_database[example].transparent_data_encryption_enabled' is set to 'false'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/sql_server_alert_email_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_alert_email_disabled/test/positive_expected_result.json index 829b77ac1d8..44123935310 100644 --- a/assets/queries/terraform/azure/sql_server_alert_email_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_alert_email_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "SQL Server Alert Email Disabled", "severity": "INFO", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_mssql_server_security_alert_policy", + "resourceName": "positive1", + "searchKey": "azurerm_mssql_server_security_alert_policy[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server_security_alert_policy[positive1].email_account_admins' should be defined", + "actualValue": "'azurerm_mssql_server_security_alert_policy[positive1].email_account_admins' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "SQL Server Alert Email Disabled", "severity": "INFO", "line": 12, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_server_security_alert_policy", + "resourceName": "positive2", + "searchKey": "azurerm_mssql_server_security_alert_policy[positive2].email_account_admins", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server_security_alert_policy[positive2].email_account_admins' should be true", + "actualValue": "'azurerm_mssql_server_security_alert_policy[positive2].email_account_admins' is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/sql_server_auditing_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_auditing_disabled/test/positive_expected_result.json index 558004dd187..ee9e82e96fb 100644 --- a/assets/queries/terraform/azure/sql_server_auditing_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_auditing_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "SQL Server Auditing Disabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_sql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_sql_server[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_sql_server.positive1.extended_auditing_policy' should exist", + "actualValue": "'azurerm_sql_server.positive1.extended_auditing_policy' does not exist", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json index 7c1b06e5a73..257265fafea 100644 --- a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_sql_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_sql_firewall_rule[positive1]", + "searchValue": "", + "expectedValue": "azurerm_sql_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", + "actualValue": "azurerm_sql_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255", + "issueType": "IncorrectValue" }, { "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_mssql_firewall_rule[positive1]", + "searchValue": "", + "expectedValue": "azurerm_mssql_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", + "actualValue": "azurerm_mssql_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255", + "issueType": "IncorrectValue" }, { "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_mariadb_firewall_rule", + "resourceName": "test-rule", + "searchKey": "azurerm_mariadb_firewall_rule[example]", + "searchValue": "", + "expectedValue": "azurerm_mariadb_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", + "actualValue": "azurerm_mariadb_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255", + "issueType": "IncorrectValue" }, { "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_postgresql_firewall_rule", + "resourceName": "office", + "searchKey": "azurerm_postgresql_firewall_rule[example]", + "searchValue": "", + "expectedValue": "azurerm_postgresql_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", + "actualValue": "azurerm_postgresql_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255", + "issueType": "IncorrectValue" }, { "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", "line": 1, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "azurerm_postgresql_flexible_server_firewall_rule", + "resourceName": "example-fw", + "searchKey": "azurerm_postgresql_flexible_server_firewall_rule[example]", + "searchValue": "", + "expectedValue": "azurerm_postgresql_flexible_server_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", + "actualValue": "azurerm_postgresql_flexible_server_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255", + "issueType": "IncorrectValue" }, { "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", "line": 1, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "azurerm_mysql_flexible_server_firewall_rule", + "resourceName": "office", + "searchKey": "azurerm_mysql_flexible_server_firewall_rule[example]", + "searchValue": "", + "expectedValue": "azurerm_mysql_flexible_server_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", + "actualValue": "azurerm_mysql_flexible_server_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json index f1a0a9de803..1163eaaa27f 100644 --- a/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "SQL Server Predictable Active Directory Account Name", "severity": "LOW", - "line": 21 + "line": 21, + "filename": "positive.tf", + "resourceType": "azurerm_sql_active_directory_administrator", + "resourceName": "positive3", + "searchKey": "azurerm_sql_active_directory_administrator[positive3].login", + "searchValue": "", + "expectedValue": "'azurerm_sql_active_directory_administrator[positive3].login' should not be empty'", + "actualValue": "'azurerm_sql_active_directory_administrator[positive3].login' is empty", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Predictable Active Directory Account Name", "severity": "LOW", - "line": 29 + "line": 29, + "filename": "positive.tf", + "resourceType": "azurerm_sql_active_directory_administrator", + "resourceName": "positive4", + "searchKey": "azurerm_sql_active_directory_administrator[positive4].login", + "searchValue": "", + "expectedValue": "'azurerm_sql_active_directory_administrator[positive4].login' should not be predictable'", + "actualValue": "'azurerm_sql_active_directory_administrator[positive4].login' is predictable", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json index 6c2df2f3069..ceba7882239 100644 --- a/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "SQL Server Predictable Admin Account Name", "severity": "LOW", - "line": 20 + "line": 20, + "filename": "positive.tf", + "resourceType": "azurerm_sql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_sql_server[positive3].administrator_login", + "searchValue": "", + "expectedValue": "'azurerm_sql_server[positive3].administrator_login' should not be empty'", + "actualValue": "'azurerm_sql_server[positive3].administrator_login' is empty", + "issueType": "IncorrectValue" }, { "queryName": "SQL Server Predictable Admin Account Name", "severity": "LOW", - "line": 40 + "line": 40, + "filename": "positive.tf", + "resourceType": "azurerm_sql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_sql_server[positive4].administrator_login", + "searchValue": "", + "expectedValue": "'azurerm_sql_server[positive4].administrator_login' should not be predictable'", + "actualValue": "'azurerm_sql_server[positive4].administrator_login' is predictable", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/test/positive_expected_result.json b/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/test/positive_expected_result.json index 8c0a501291d..54d23e10f66 100644 --- a/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/test/positive_expected_result.json @@ -2,101 +2,261 @@ { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive1.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive1.destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 22 + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive2.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive2.destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive3.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive3.destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 50 + "line": 50, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive4.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive4.destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 64 + "line": 64, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive5.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive5.destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 78 + "line": 78, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive6.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive6.destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 92 + "line": 92, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive7.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive7.destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 106 + "line": 106, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive8.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive8.destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 120 + "line": 120, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive9.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive9.destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive10.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive10.destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 153 + "line": 153, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive11", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive11}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 165 + "line": 165, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive12", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive12}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 177 + "line": 177, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive13", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive13}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 189 + "line": 189, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive14", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive14}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 201 + "line": 201, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive15", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive15}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 213 + "line": 213, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive16", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive16}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 225 + "line": 225, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive17", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive17}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 237 + "line": 237, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive18", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive18}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 249 + "line": 249, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive19", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive19}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 261 + "line": 261, + "filename": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive20", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive20}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/ssl_enforce_is_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/ssl_enforce_is_disabled/test/positive_expected_result.json index e62b1c19066..a7af4ec274d 100644 --- a/assets/queries/terraform/azure/ssl_enforce_is_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/ssl_enforce_is_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "SSL Enforce Disabled", "severity": "MEDIUM", - "line": 18 + "line": 18, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "example-psqlserver", + "searchKey": "azurerm_postgresql_server[positive1].ssl_enforcement_enabled", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server.positive1.ssl_enforcement_enabled' should equal 'true'", + "actualValue": "'azurerm_postgresql_server.positive1.ssl_enforcement_enabled' is equal 'false'", + "issueType": "IncorrectValue" }, { "queryName": "SSL Enforce Disabled", "severity": "MEDIUM", - "line": 22 + "line": 22, + "filename": "positive.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "example-psqlserver", + "searchKey": "azurerm_postgresql_server[positive2].ssl_enforcement_enabled", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server.positive2.ssl_enforcement_enabled' should equal 'true'", + "actualValue": "'azurerm_postgresql_server.positive2.ssl_enforcement_enabled' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/storage_account_not_forcing_https/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_not_forcing_https/test/positive_expected_result.json index 87ed2953656..a859ed03eec 100644 --- a/assets/queries/terraform/azure/storage_account_not_forcing_https/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_not_forcing_https/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "example1", + "searchKey": "azurerm_storage_account[example1].enable_https_traffic_only", + "searchValue": "", + "expectedValue": "'azurerm_storage_account.example1.enable_https_traffic_only' equals 'true'", + "actualValue": "'azurerm_storage_account.example1.enable_https_traffic_only' equals 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", "line": 12, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "example2", + "searchKey": "azurerm_storage_account[example2]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account.example2.enable_https_traffic_only' equals 'true', or (since Terraform v4.0) 'azurerm_storage_account.example2.https_traffic_only_enabled' equals 'true'", + "actualValue": "Neither 'azurerm_storage_account.example2.enable_https_traffic_only' nor 'azurerm_storage_account.example2.https_traffic_only_enabled' exists", + "issueType": "MissingAttribute" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "example1", + "searchKey": "azurerm_storage_account[example1].https_traffic_only_enabled", + "searchValue": "", + "expectedValue": "'azurerm_storage_account.example1.https_traffic_only_enabled' equals 'true'", + "actualValue": "'azurerm_storage_account.example1.https_traffic_only_enabled' equals 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "example2", + "searchKey": "azurerm_storage_account[example2]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account.example2.enable_https_traffic_only' equals 'true', or (since Terraform v4.0) 'azurerm_storage_account.example2.https_traffic_only_enabled' equals 'true'", + "actualValue": "Neither 'azurerm_storage_account.example2.enable_https_traffic_only' nor 'azurerm_storage_account.example2.https_traffic_only_enabled' exists", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json index 13b4ae0d843..0375a882fd5 100644 --- a/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json @@ -2,31 +2,79 @@ { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", + "actualValue": "'azurerm_storage_account[positive1].share_properties' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", "severity": "HIGH", - "line": 18 + "line": 18, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive2", + "searchKey": "azurerm_storage_account[positive2].share_properties", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive2].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", + "actualValue": "'azurerm_storage_account[positive2].share_properties.smb' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", "severity": "HIGH", - "line": 32 + "line": 32, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive3", + "searchKey": "azurerm_storage_account[positive3].share_properties.smb", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive3].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", + "actualValue": "'azurerm_storage_account[positive3].share_properties.smb.versions' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", "severity": "HIGH", - "line": 47 + "line": 47, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive4", + "searchKey": "azurerm_storage_account[positive4].share_properties.smb.versions", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive4].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", + "actualValue": "'azurerm_storage_account[positive4].share_properties.smb.versions' is empty or null", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", "severity": "HIGH", - "line": 61 + "line": 61, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive5", + "searchKey": "azurerm_storage_account[positive5].share_properties.smb.versions", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive5].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", + "actualValue": "'azurerm_storage_account[positive5].share_properties.smb.versions' does not include 'SMB3.1.1' and instead includes 2 outdated version(s)", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", "severity": "HIGH", - "line": 75 + "line": 75, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive6", + "searchKey": "azurerm_storage_account[positive6].share_properties.smb.versions", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive6].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", + "actualValue": "'azurerm_storage_account[positive6].share_properties.smb.versions' includes 'SMB3.1.1' but also includes 1 outdated version(s)", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json index f58b0acc496..ae0bf5a4813 100644 --- a/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Storage Account Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 7, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive2].min_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive2].min_tls_version' is 'TLS1_2'", + "actualValue": "'azurerm_storage_account[positive2].min_tls_version' is not 'TLS1_2'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json index b938673842c..c7654c2a85c 100644 --- a/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json @@ -2,31 +2,79 @@ { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", + "actualValue": "'azurerm_storage_account[positive1].share_properties' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", "severity": "HIGH", - "line": 18 + "line": 18, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive2", + "searchKey": "azurerm_storage_account[positive2].share_properties", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive2].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", + "actualValue": "'azurerm_storage_account[positive2].share_properties.smb' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", "severity": "HIGH", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive3", + "searchKey": "azurerm_storage_account[positive3].share_properties.smb", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive3].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", + "actualValue": "'azurerm_storage_account[positive3].share_properties.smb.channel_encryption_type' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", "severity": "HIGH", - "line": 46 + "line": 46, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive4", + "searchKey": "azurerm_storage_account[positive4].share_properties.smb.channel_encryption_type", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive4].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", + "actualValue": "'azurerm_storage_account[positive4].share_properties.smb.channel_encryption_type' is empty or null", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", "severity": "HIGH", - "line": 60 + "line": 60, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive5", + "searchKey": "azurerm_storage_account[positive5].share_properties.smb.channel_encryption_type", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive5].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", + "actualValue": "'azurerm_storage_account[positive5].share_properties.smb.channel_encryption_type' does not include 'AES-256-GCM' and instead includes 2 weaker encryption standard(s)", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", "severity": "HIGH", - "line": 74 + "line": 74, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive6", + "searchKey": "azurerm_storage_account[positive6].share_properties.smb.channel_encryption_type", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive6].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", + "actualValue": "'azurerm_storage_account[positive6].share_properties.smb.channel_encryption_type' includes 'AES-256-GCM' but also includes 1 weaker encryption standard(s)", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive_expected_result.json index 232f7ba3365..2a8cba91ba7 100644 --- a/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Beta - Storage Account With Cross Tenant Replication Enabled", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1].cross_tenant_replication_enabled", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1].cross_tenant_replication_enabled' should be set to false", + "actualValue": "'azurerm_storage_account[positive1].cross_tenant_replication_enabled' is set to true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json index 3aabd7181b9..47e96c3c172 100644 --- a/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Beta - Storage Account With Shared Access Key", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1].shared_access_key_enabled' should be defined and set to false", + "actualValue": "'azurerm_storage_account[positive1].shared_access_key_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account With Shared Access Key", "severity": "MEDIUM", - "line": 18 + "line": 18, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive2", + "searchKey": "azurerm_storage_account[positive2].shared_access_key_enabled", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive2].shared_access_key_enabled' should be defined and set to false", + "actualValue": "'azurerm_storage_account[positive2].shared_access_key_enabled' is set to 'true'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/storage_account_without_cmk/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_without_cmk/test/positive_expected_result.json index 12468537f01..f026c8c8303 100644 --- a/assets/queries/terraform/azure/storage_account_without_cmk/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_without_cmk/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Beta - Storage Account Without CMK", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive1_1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1_1] must be associated with a 'azurerm_storage_account_customer_managed_key' resource and the block 'customer_managed_key' should be set", + "actualValue": "'azurerm_storage_account[positive1_1] is not associated with a 'azurerm_storage_account_customer_managed_key' resource and the 'customer_managed_key' block is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json index 940bf434657..2056b7f190f 100644 --- a/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "Beta - Storage Account Without Delete Lock", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "examplestorageacct", + "searchKey": "azurerm_storage_account[example_pos1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[example_pos1]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", + "actualValue": "'azurerm_storage_account[example_pos1]' is not associated with an 'azurerm_management_lock'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account Without Delete Lock", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "examplestorageacct", + "searchKey": "azurerm_storage_account[example_pos2]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[example_pos2]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", + "actualValue": "'azurerm_storage_account[example_pos2]' is not associated with an 'azurerm_management_lock'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account Without Delete Lock", "severity": "LOW", "line": 6, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "examplestorageacct", + "searchKey": "azurerm_storage_account[example_pos3]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[example_pos3]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", + "actualValue": "'azurerm_storage_account[example_pos3]' is associated with 'azurerm_management_lock[storage_delete_lock_pos3]' but lock_level is 'ReadOnly'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Storage Account Without Delete Lock", "severity": "LOW", "line": 6, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "examplestorageacct", + "searchKey": "azurerm_storage_account[example_pos4]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[example_pos4]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", + "actualValue": "'azurerm_storage_account[example_pos4]' is not associated with an 'azurerm_management_lock'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Storage Account Without Delete Lock", "severity": "LOW", "line": 6, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "examplestorageacct", + "searchKey": "azurerm_storage_account[example_pos5]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[example_pos5]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", + "actualValue": "'azurerm_storage_account[example_pos5]' is not associated with an 'azurerm_management_lock'", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json index 680aa200d65..ebc4fa215f0 100644 --- a/assets/queries/terraform/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Storage Container Is Publicly Accessible", "severity": "HIGH", - "line": 4 + "line": 4, + "filename": "positive.tf", + "resourceType": "azurerm_storage_container", + "resourceName": "vhds", + "searchKey": "azurerm_storage_container[positive1].container_access_type", + "searchValue": "", + "expectedValue": "'container_access_type' should equal to 'private'", + "actualValue": "'container_access_type' is not equal to 'private'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/storage_share_allows_all_acl_permissions/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_share_allows_all_acl_permissions/test/positive_expected_result.json index 61688033065..ed550f732aa 100644 --- a/assets/queries/terraform/azure/storage_share_allows_all_acl_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_share_allows_all_acl_permissions/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Storage Share Allows All ACL Permissions", "severity": "MEDIUM", "line": 16, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_storage_share", + "resourceName": "my-awesome-content.zip", + "searchKey": "azurerm_storage_share[default_storage_share].acl.access_policy.permissions", + "searchValue": "", + "expectedValue": "azurerm_storage_share[default_storage_share].acl.access_policy.permissions should not allow all ACL permissions", + "actualValue": "azurerm_storage_share[default_storage_share].acl.access_policy.permissions allows all ACL permissions", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/test/positive_expected_result.json index 533a2db0fd7..7de50858638 100644 --- a/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Storage Table Allows All ACL Permissions", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "azurerm_storage_table", + "resourceName": "my_table_name", + "searchKey": "azurerm_storage_table[table_resource].acl.permissions", + "searchValue": "", + "expectedValue": "azurerm_storage_table[table_resource].acl.permissions should not allow all ACL permissions", + "actualValue": "azurerm_storage_table[table_resource].acl.permissions allows all ACL permissions", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json index 923845f4cad..c2dd967ea0f 100644 --- a/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account_network_rules", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account_network_rules[positive1].bypass", + "searchValue": "", + "expectedValue": "'bypass' should contain 'AzureServices'", + "actualValue": "'bypass' does not contain 'AzureServices'", + "issueType": "IncorrectValue" }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 21 + "line": 21, + "filename": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive2].network_rules.bypass", + "searchValue": "", + "expectedValue": "'network_rules.bypass' should contain 'AzureServices'", + "actualValue": "'network_rules.bypass' does not contain 'AzureServices'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json index 2bb3208cf1d..6a4e69e5984 100644 --- a/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json @@ -3,108 +3,234 @@ "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 19, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_sql_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_sql_firewall_rule[positive3-legacy].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_sql_firewall_rule[positive3-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_sql_firewall_rule[positive3-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 27, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_sql_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_sql_firewall_rule[positive4-legacy].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_sql_firewall_rule[positive4-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_sql_firewall_rule[positive4-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 35, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_sql_firewall_rule", + "resourceName": "positive5-legacy", + "searchKey": "azurerm_sql_firewall_rule[positive5-legacy].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_sql_firewall_rule[positive5-legacy].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_sql_firewall_rule[positive5-legacy].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 19, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_mssql_firewall_rule[positive3].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mssql_firewall_rule[positive3].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_mssql_firewall_rule[positive3].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 26, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_firewall_rule", + "resourceName": "FirewallRule2", + "searchKey": "azurerm_mssql_firewall_rule[positive4].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mssql_firewall_rule[positive4].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_mssql_firewall_rule[positive4].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 33, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_mssql_firewall_rule", + "resourceName": "positive5", + "searchKey": "azurerm_mssql_firewall_rule[positive5].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mssql_firewall_rule[positive5].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_mssql_firewall_rule[positive5].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 25, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_mariadb_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_mariadb_firewall_rule[mariadb_fw1].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mariadb_firewall_rule[mariadb_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_mariadb_firewall_rule[mariadb_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 33, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_mariadb_firewall_rule", + "resourceName": "FirewallRule2", + "searchKey": "azurerm_mariadb_firewall_rule[mariadb_fw2].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mariadb_firewall_rule[mariadb_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_mariadb_firewall_rule[mariadb_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 41, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_mariadb_firewall_rule", + "resourceName": "AllowAzure", + "searchKey": "azurerm_mariadb_firewall_rule[mariadb_fw3].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mariadb_firewall_rule[mariadb_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_mariadb_firewall_rule[mariadb_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 24, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_postgresql_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_postgresql_firewall_rule[psql_fw1].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_firewall_rule[psql_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_postgresql_firewall_rule[psql_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 32, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_postgresql_firewall_rule", + "resourceName": "FirewallRule2", + "searchKey": "azurerm_postgresql_firewall_rule[psql_fw2].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_firewall_rule[psql_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_postgresql_firewall_rule[psql_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 41, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_postgresql_firewall_rule", + "resourceName": "AllowAzure", + "searchKey": "azurerm_postgresql_firewall_rule[psql_fw3].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_firewall_rule[psql_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_postgresql_firewall_rule[psql_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 20, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "azurerm_postgresql_flexible_server_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw1].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 27, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "azurerm_postgresql_flexible_server_firewall_rule", + "resourceName": "FirewallRule2", + "searchKey": "azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw2].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 35, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "azurerm_postgresql_flexible_server_firewall_rule", + "resourceName": "AllowAzure", + "searchKey": "azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw3].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 20, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "azurerm_mysql_flexible_server_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw1].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 27, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "azurerm_mysql_flexible_server_firewall_rule", + "resourceName": "FirewallRule2", + "searchKey": "azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw2].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue" }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 35, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "azurerm_mysql_flexible_server_firewall_rule", + "resourceName": "AllowAzure", + "searchKey": "azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw3].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/test/positive_expected_result.json b/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/test/positive_expected_result.json index 9201445fe72..48f39578b63 100644 --- a/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive1", + "searchKey": "azurerm_role_assignment[positive1].role_definition_name", + "searchValue": "", + "expectedValue": "'role_definition_name' field should not be defined to 'User Access Administrator'", + "actualValue": "'role_definition_name' field is defined with 'User Access Administrator'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive2", + "searchKey": "azurerm_role_assignment[positive2].role_definition_id", + "searchValue": "", + "expectedValue": "'role_definition_id' field should not have an id associated with the 'User Access Administrator' role.", + "actualValue": "'role_definition_id' field have an id associated with the 'User Access Administrator' role.", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive3", + "searchKey": "azurerm_role_assignment[positive3].role_definition_name", + "searchValue": "", + "expectedValue": "'role_definition_name' field should not be defined to 'User Access Administrator'", + "actualValue": "'role_definition_name' field is defined with 'User Access Administrator'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive4", + "searchKey": "azurerm_role_assignment[positive4].role_definition_id", + "searchValue": "", + "expectedValue": "'role_definition_id' field should not have an id associated with the 'User Access Administrator' role.", + "actualValue": "'role_definition_id' field have an id associated with the 'User Access Administrator' role.", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive5", + "searchKey": "azurerm_role_assignment[positive5].role_definition_name", + "searchValue": "", + "expectedValue": "'role_definition_name' field should not be defined to 'User Access Administrator'", + "actualValue": "'role_definition_name' field is defined with 'User Access Administrator'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive6", + "searchKey": "azurerm_role_assignment[positive6].role_definition_id", + "searchValue": "", + "expectedValue": "'role_definition_id' field should not have an id associated with the 'User Access Administrator' role.", + "actualValue": "'role_definition_id' field have an id associated with the 'User Access Administrator' role.", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/vault_auditing_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/vault_auditing_disabled/test/positive_expected_result.json index 5b955eb3023..2a094d441be 100644 --- a/assets/queries/terraform/azure/vault_auditing_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vault_auditing_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Vault Auditing Disabled", "severity": "MEDIUM", - "line": 16 + "line": 16, + "filename": "positive.tf", + "resourceType": "azurerm_key_vault", + "resourceName": "testvault", + "searchKey": "azurerm_key_vault[example1]", + "searchValue": "", + "expectedValue": "'azurerm_key_vault' should be associated with 'azurerm_monitor_diagnostic_setting'", + "actualValue": "'azurerm_key_vault' is not associated with 'azurerm_monitor_diagnostic_setting'", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/test/positive_expected_result.json index e47a40f00a2..7d1b073ee74 100644 --- a/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Virtual Network with DDoS Protection Plan disabled", "severity": "LOW", "line": 18, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_virtual_network", + "resourceName": "virtualNetwork1", + "searchKey": "azurerm_virtual_network[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_virtual_network[positive1].ddos_protection_plan' should be defined and not null", + "actualValue": "'azurerm_virtual_network[positive1].ddos_protection_plan' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Virtual Network with DDoS Protection Plan disabled", "severity": "LOW", "line": 27, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_virtual_network", + "resourceName": "virtualNetwork1", + "searchKey": "azurerm_virtual_network[positive1].ddos_protection_plan.enable", + "searchValue": "", + "expectedValue": "'azurerm_virtual_network[positive1].ddos_protection_plan.enable' should be set to true", + "actualValue": "'azurerm_virtual_network[positive1].ddos_protection_plan.enable' is set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/vm_not_attached_to_network/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_not_attached_to_network/test/positive_expected_result.json index 344ed2f15ef..65dea32711c 100644 --- a/assets/queries/terraform/azure/vm_not_attached_to_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_not_attached_to_network/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "VM Not Attached To Network", "severity": "MEDIUM", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive1].network_interface_ids", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine[positive1].network_interface_ids' list should not be empty", + "actualValue": "'azurerm_virtual_machine[positive1].network_interface_ids' list is empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/test/positive_expected_result.json index 2370f2b2431..4ddf0825d0c 100644 --- a/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Beta - VM With Automatic Updates Disabled", "severity": "MEDIUM", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive1-machine", + "searchKey": "azurerm_windows_virtual_machine[positive1].enable_automatic_updates", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine[positive1].enable_automatic_updates' should be set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine[positive1].enable_automatic_updates' is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - VM With Automatic Updates Disabled", "severity": "MEDIUM", - "line": 24 + "line": 24, + "filename": "positive.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive2-machine", + "searchKey": "azurerm_windows_virtual_machine[positive2].automatic_updates_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine[positive2].automatic_updates_enabled' should be set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine[positive2].automatic_updates_enabled' is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - VM With Automatic Updates Disabled", "severity": "MEDIUM", - "line": 37 + "line": 37, + "filename": "positive.tf", + "resourceType": "azurerm_windows_virtual_machine_scale_set", + "resourceName": "positive3-vmss", + "searchKey": "azurerm_windows_virtual_machine_scale_set[positive3].enable_automatic_updates", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive3].enable_automatic_updates' should be set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive3].enable_automatic_updates' is set to 'false'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/vm_with_extension_operations_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_with_extension_operations_enabled/test/positive_expected_result.json index 10913b2c611..fb22c202543 100644 --- a/assets/queries/terraform/azure/vm_with_extension_operations_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_with_extension_operations_enabled/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_1-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_1].allow_extension_operations' should be defined and set to 'false'", + "actualValue": "'azurerm_linux_virtual_machine[positive1_1].allow_extension_operations' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 24, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_2-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_2].allow_extension_operations", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_2].allow_extension_operations' should be defined and set to 'false'", + "actualValue": "'azurerm_linux_virtual_machine[positive1_2].allow_extension_operations' is set to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_1-vmss", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].extension_operations_enabled' should be defined and set to 'false'", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].extension_operations_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 20, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_2-vmss", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_2].extension_operations_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].extension_operations_enabled' should be defined and set to 'false'", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].extension_operations_enabled' is set to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive3_1-machine", + "searchKey": "azurerm_windows_virtual_machine[positive3_1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine[positive3_1].allow_extension_operations' should be defined and set to 'false'", + "actualValue": "'azurerm_windows_virtual_machine[positive3_1].allow_extension_operations' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 22, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive3_2-machine", + "searchKey": "azurerm_windows_virtual_machine[positive3_2].allow_extension_operations", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine[positive3_2].allow_extension_operations' should be defined and set to 'false'", + "actualValue": "'azurerm_windows_virtual_machine[positive3_2].allow_extension_operations' is set to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_windows_virtual_machine_scale_set", + "resourceName": "positive4_1-vmss", + "searchKey": "azurerm_windows_virtual_machine_scale_set[positive4_1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_1].extension_operations_enabled' should be defined and set to 'false'", + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_1].extension_operations_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 20, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_windows_virtual_machine_scale_set", + "resourceName": "positive4_2-machine", + "searchKey": "azurerm_windows_virtual_machine_scale_set[positive4_2].extension_operations_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].extension_operations_enabled' should be defined and set to 'false'", + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].extension_operations_enabled' is set to 'true'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/test/positive_expected_result.json index e7c8041e0ee..0330d390752 100644 --- a/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/test/positive_expected_result.json @@ -3,54 +3,117 @@ "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_1-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_1].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine[positive1_1].admin_ssh_key' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 24, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_2-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_2].admin_ssh_key", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_2].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine[positive1_2].admin_ssh_key.public_key' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 40, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_3-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_3].admin_ssh_key[0]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_3].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine[positive1_3].admin_ssh_key[0].public_key' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 45, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_3-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_3].admin_ssh_key[1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_3].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine[positive1_3].admin_ssh_key[1].public_key' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_1-machine", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].admin_ssh_key' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 24, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_2-machine", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_2].admin_ssh_key", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].admin_ssh_key.public_key' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 40, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_3-machine", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key[0]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key[0].public_key' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 45, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_3-machine", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key[1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key[1].public_key' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 20, - "fileName": "positive3.json" + "filename": "positive3.json", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "example-vm", + "searchKey": "azurerm_linux_virtual_machine[module.example_module.azurerm_linux_virtual_machine.example_vm[0]].admin_ssh_key", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[module.example_module.azurerm_linux_virtual_machine.example_vm[0]].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine[module.example_module.azurerm_linux_virtual_machine.example_vm[0]].admin_ssh_key' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json index 96ca9c2ebfc..312c5dc06e9 100644 --- a/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_1-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_1].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_linux_virtual_machine[positive1_1].encryption_at_host_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", "line": 24, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_2-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_2].encryption_at_host_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_2].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_linux_virtual_machine[positive1_2].encryption_at_host_enabled' is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_1-vmss", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].encryption_at_host_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", "line": 20, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_2-vmss", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_2].encryption_at_host_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].encryption_at_host_enabled' is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", "line": 1, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive3_1-machine", + "searchKey": "azurerm_windows_virtual_machine[positive3_1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine[positive3_1].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine[positive3_1].encryption_at_host_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", "line": 22, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive3_2-machine", + "searchKey": "azurerm_windows_virtual_machine[positive3_2].encryption_at_host_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine[positive3_2].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine[positive3_2].encryption_at_host_enabled' is set to 'false'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", "line": 1, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_windows_virtual_machine_scale_set", + "resourceName": "positive4_1-vmss", + "searchKey": "azurerm_windows_virtual_machine_scale_set[positive4_1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_1].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_1].encryption_at_host_enabled' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", "line": 20, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_windows_virtual_machine_scale_set", + "resourceName": "positive4_2-machine", + "searchKey": "azurerm_windows_virtual_machine_scale_set[positive4_2].encryption_at_host_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].encryption_at_host_enabled' is set to 'false'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/azure/vm_without_managed_disk/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_without_managed_disk/test/positive_expected_result.json index f38283bec56..41213e66efc 100644 --- a/assets/queries/terraform/azure/vm_without_managed_disk/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_without_managed_disk/test/positive_expected_result.json @@ -3,54 +3,117 @@ "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine[positive1].storage_os_disk' should be defined and not null", + "actualValue": "'azurerm_virtual_machine[positive1].storage_os_disk' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", "line": 21, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive1_2].storage_os_disk.vhd_uri", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine[positive1_2].storage_os_disk.vhd_uri' should not be set", + "actualValue": "'azurerm_virtual_machine[positive1_2].storage_os_disk.vhd_uri' is set", + "issueType": "IncorrectValue" }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", "line": 34, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive1_3].storage_os_disk", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine[positive1_3].storage_os_disk' should define a 'managed_disk_id' or 'managed_disk_type'", + "actualValue": "'azurerm_virtual_machine[positive1_3].storage_os_disk' does not define or sets to null 'managed_disk_id' and 'managed_disk_type'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive2-machine", + "searchKey": "azurerm_linux_virtual_machine[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive2].os_managed_disk_id' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine[positive2].os_managed_disk_id' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", "line": 1, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive3-machine", + "searchKey": "azurerm_windows_virtual_machine[positive3]", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine[positive3].os_managed_disk_id' should be defined and not null", + "actualValue": "'azurerm_windows_virtual_machine[positive3].os_managed_disk_id' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", "line": 10, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_virtual_machine_scale_set", + "resourceName": "vmss-premium-positive4_1", + "searchKey": "azurerm_virtual_machine_scale_set[positive4_1].storage_profile_os_disk.vhd_containers", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine_scale_set[positive4_1].storage_profile_os_disk.vhd_containers' should not be set", + "actualValue": "'azurerm_virtual_machine_scale_set[positive4_1].storage_profile_os_disk.vhd_containers' is set", + "issueType": "IncorrectValue" }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", "line": 23, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "azurerm_virtual_machine_scale_set", + "resourceName": "vmss-premium-positive4_2", + "searchKey": "azurerm_virtual_machine_scale_set[positive4_2].storage_profile_os_disk", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine_scale_set[positive4_2].storage_profile_os_disk.managed_disk_type' should be defined and not null", + "actualValue": "'azurerm_virtual_machine_scale_set[positive4_2].storage_profile_os_disk.managed_disk_type' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", "line": 18, - "filename": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive5].storage_os_disk.vhd_uri", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine[positive5].storage_os_disk.vhd_uri' should not be set", + "actualValue": "'azurerm_virtual_machine[positive5].storage_os_disk.vhd_uri' is set", + "issueType": "IncorrectValue" }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", "line": 16, - "filename": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive6].storage_os_disk", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine[positive6].storage_os_disk' should define a 'managed_disk_id' or 'managed_disk_type'", + "actualValue": "'azurerm_virtual_machine[positive6].storage_os_disk' does not define or sets to null 'managed_disk_id' and 'managed_disk_type'", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json b/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json index ed082b15181..9c85a4f7958 100644 --- a/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "WAF Is Disabled For Azure Application Gateway", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "azurerm_application_gateway", + "resourceName": "example-appgateway", + "searchKey": "azurerm_application_gateway[positive1].waf_configuration.enabled", + "searchValue": "", + "expectedValue": "'azurerm_application_gateway[positive1].waf_configuration.enabled' is true", + "actualValue": "'azurerm_application_gateway[positive1].waf_configuration.enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "WAF Is Disabled For Azure Application Gateway", "severity": "MEDIUM", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "azurerm_application_gateway", + "resourceName": "example-appgateway", + "searchKey": "azurerm_application_gateway[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_application_gateway[positive2]' should be set", + "actualValue": "'azurerm_application_gateway[positive2]' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json b/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json index a85ef677c82..edada78b86b 100644 --- a/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", "line": 12, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-1].https_only", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-1].https_only' should be set to true", + "actualValue": "'azurerm_app_service[positive1-1].https_only' is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", "line": 15, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-2]", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-2].https_only' should be defined and set to true", + "actualValue": "'azurerm_app_service[positive1-2].https_only' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-1].https_only", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-1].https_only' should be set to true", + "actualValue": "'azurerm_linux_web_app[positive2-1].https_only' is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", "line": 15, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-2]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-2].https_only' should be defined and set to true", + "actualValue": "'azurerm_linux_web_app[positive2-2].https_only' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", "line": 12, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-1].https_only", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-1].https_only' should be set to true", + "actualValue": "'azurerm_windows_web_app[positive3-1].https_only' is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", "line": 15, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-2]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-2].https_only' should be defined and set to true", + "actualValue": "'azurerm_windows_web_app[positive3-2].https_only' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json index 7b122be2d1e..652161e6cae 100644 --- a/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Databricks Autoscale Badly Setup", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive1.tf" - }, - { - "queryName": "Databricks Autoscale Badly Setup", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.tf" - } + { + "queryName": "Databricks Autoscale Badly Setup", + "severity": "MEDIUM", + "line": 6, + "filename": "positive1.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive1", + "searchKey": "databricks_cluster[positive1].autoscale", + "searchValue": "max_workers", + "expectedValue": "'databricks_cluster[positive1].autoscale.max_workers' should not be empty", + "actualValue": "'databricks_cluster[positive1].autoscale.max_workers' is not setup'", + "issueType": "MissingAttribute" + }, + { + "queryName": "Databricks Autoscale Badly Setup", + "severity": "MEDIUM", + "line": 6, + "filename": "positive2.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive2", + "searchKey": "databricks_cluster[positive2].autoscale", + "searchValue": "min_workers", + "expectedValue": "'databricks_cluster[positive2].autoscale.min_workers' should not be empty", + "actualValue": "'databricks_cluster[positive2].autoscale.min_workers' is not setup'", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json index aecb1ae2f97..4e04aa39d11 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Check Databricks Cluster AWS Attribute Best Practices", "severity": "LOW", "line": 11, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive1", + "searchKey": "databricks_cluster[positive1].aws_attributes.availability", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive1].aws_attributes.availability' should not be equal to 'SPOT'", + "actualValue": "'databricks_cluster[positive1].aws_attributes.availability' is equal to 'SPOT'", + "issueType": "IncorrectValue" }, { "queryName": "Check Databricks Cluster AWS Attribute Best Practices", "severity": "LOW", "line": 13, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive2", + "searchKey": "databricks_cluster[positive2].aws_attributes.first_on_demand", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive2].aws_attributes.first_on_demand' should not be equal to '0'", + "actualValue": "'databricks_cluster[positive2].aws_attributes.first_on_demand' is equal to '0'", + "issueType": "IncorrectValue" }, { "queryName": "Check Databricks Cluster AWS Attribute Best Practices", "severity": "LOW", "line": 10, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive3", + "searchKey": "databricks_cluster[positive3].aws_attributes.first_on_demand", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive3].aws_attributes.first_on_demand' should present", + "actualValue": "'databricks_cluster[positive3].aws_attributes.first_on_demand' is not present", + "issueType": "IncorrectValue" }, { "queryName": "Check Databricks Cluster AWS Attribute Best Practices", "severity": "LOW", "line": 12, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive4", + "searchKey": "databricks_cluster[positive4].aws_attributes.zone_id", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive4].aws_attributes.zone_id' should be egal to 'auto'", + "actualValue": "'databricks_cluster[positive4].aws_attributes.zone_id' is not equal to 'auto'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json index 088648d2169..b13bc6b4a6c 100644 --- a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Check Databricks Cluster Azure Attribute Best Practices", "severity": "LOW", "line": 11, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive1", + "searchKey": "databricks_cluster[positive1].azure_attributes.availability", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive1].azure_attributes.availability' should not be equal to 'SPOT'", + "actualValue": "'databricks_cluster[positive1].azure_attributes.availability' is equal to 'SPOT'", + "issueType": "IncorrectValue" }, { "queryName": "Check Databricks Cluster Azure Attribute Best Practices", "severity": "LOW", "line": 12, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive2", + "searchKey": "databricks_cluster[positive2].azure_attributes.first_on_demand", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive2].azure_attributes.first_on_demand' should not be equal to '0'", + "actualValue": "'databricks_cluster[positive2].azure_attributes.first_on_demand' is equal to '0'", + "issueType": "IncorrectValue" }, { "queryName": "Check Databricks Cluster Azure Attribute Best Practices", "severity": "LOW", "line": 10, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive3", + "searchKey": "databricks_cluster[positive3].azure_attributes.first_on_demand", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive3].azure_attributes.first_on_demand' should present", + "actualValue": "'databricks_cluster[positive3].azure_attributes.first_on_demand' is not present", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json index 25a6cb6b10d..1517f2fc6b9 100644 --- a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Check Databricks Cluster GCP Attribute Best Practices", "severity": "LOW", "line": 11, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive", + "searchKey": "databricks_cluster[positive].gcp_attributes.availability", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive].gcp_attributes.availability' should not be equal to 'SPOT'", + "actualValue": "'databricks_cluster[positive].gcp_attributes.availability' is equal to 'SPOT'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json b/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json index fa8ae3b3161..a55c5df403d 100755 --- a/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", "severity": "HIGH", "line": 16, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "databricks_job", + "resourceName": "Featurization", + "searchKey": "databricks_job[positive1_error]", + "searchValue": "", + "expectedValue": "'databricks_job[positive1_error]' should have permissions", + "actualValue": "'databricks_job[positive1_error]' doesn't have permission associated", + "issueType": "MissingAttribute" }, { "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", "severity": "HIGH", "line": 12, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive2_error", + "searchKey": "databricks_cluster[positive2_error]", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive2_error]' should have permissions", + "actualValue": "'databricks_cluster[positive2_error]' doesn't have permission associated", + "issueType": "MissingAttribute" }, { "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", "severity": "HIGH", "line": 16, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "databricks_permissions", + "resourceName": "positive3", + "searchKey": "databricks_permissions.[positive3]", + "searchValue": "", + "expectedValue": "'databricks_permissions[positive3]' should not have permission_level == 'IS_OWNER' without service_principal_name associated", + "actualValue": "'databricks_permissions[positive3]' have permission_level == 'IS_OWNER' without service_principal_name associated", + "issueType": "IncorrectValue" }, { "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", "severity": "HIGH", "line": 16, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "databricks_permissions", + "resourceName": "positive4", + "searchKey": "databricks_permissions.[positive4]", + "searchValue": "", + "expectedValue": "'databricks_permissions[positive4]' should not have permission_level == 'IS_OWNER' without service_principal_name associated", + "actualValue": "'databricks_permissions[positive4]' have permission_level == 'IS_OWNER' without service_principal_name associated", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json index 0fadf818ea4..645fb4acc7a 100644 --- a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Databricks Group Without User Or Instance Profile", - "severity": "LOW", - "line": 16, - "fileName": "positive1.tf" - }, - { - "queryName": "Databricks Group Without User Or Instance Profile", - "severity": "LOW", - "line": 14, - "fileName": "positive2.tf" - } + { + "queryName": "Databricks Group Without User Or Instance Profile", + "severity": "LOW", + "line": 16, + "filename": "positive1.tf", + "resourceType": "aws_databricks_group", + "resourceName": "Some Group", + "searchKey": "databricks_group[positive_group_2]", + "searchValue": "", + "expectedValue": "aws_databricks_group[positive_group_2] should be associated with an databricks_group_member that has at least one user set", + "actualValue": "aws_databricks_group[positive_group_2] is not associated with an databricks_group_member that has at least one user set", + "issueType": "MissingAttribute" + }, + { + "queryName": "Databricks Group Without User Or Instance Profile", + "severity": "LOW", + "line": 14, + "filename": "positive2.tf", + "resourceType": "aws_databricks_group", + "resourceName": "my_group_name", + "searchKey": "databricks_group[positive_group2]", + "searchValue": "", + "expectedValue": "aws_databricks_group[positive_group2] should be associated with an databricks_group_member that has at least one user set", + "actualValue": "aws_databricks_group[positive_group2] is not associated with an databricks_group_member that has at least one user set", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json b/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json index cc134659b5a..858aba2229a 100644 --- a/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Indefinitely Databricks OBO Token Lifetime", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Indefinitely Databricks OBO Token Lifetime", + "severity": "MEDIUM", + "line": 1, + "filename": "positive.tf", + "resourceType": "databricks_obo_token", + "resourceName": "positive", + "searchKey": "databricks_obo_token[positive]", + "searchValue": "", + "expectedValue": "'databricks_obo_token[positive]' should not have indefinitely lifetime", + "actualValue": "'databricks_obo_token[positive]' have an indefinitely lifetime", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json b/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json index 804551b008f..f8c2f6356f4 100644 --- a/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Indefinitely Databricks Token Lifetime", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Indefinitely Databricks Token Lifetime", + "severity": "MEDIUM", + "line": 1, + "filename": "positive.tf", + "resourceType": "databricks_token", + "resourceName": "positive", + "searchKey": "databricks_token[positive]", + "searchValue": "", + "expectedValue": "'databricks_token[positive]' should not have indefinitely lifetime", + "actualValue": "'databricks_token[positive]' have an indefinitely lifetime", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json b/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json index a70c25b0fd1..74ee01386ea 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Unrestricted Databricks ACL", - "severity": "HIGH", - "line": 10, - "fileName": "positive1.tf" - }, - { - "queryName": "Unrestricted Databricks ACL", - "severity": "HIGH", - "line": 10, - "fileName": "positive2.tf" - } + { + "queryName": "Unrestricted Databricks ACL", + "severity": "HIGH", + "line": 10, + "filename": "positive1.tf", + "resourceType": "databricks_ip_access_list", + "resourceName": "positive1", + "searchKey": "databricks_ip_access_list[positive1].ip_addresses", + "searchValue": "", + "expectedValue": "'databricks_ip_access_list[positive1].ip_addresses' should not be equal to '0.0.0.0/0' or '::/0'", + "actualValue": "'databricks_ip_access_list[positive1].ip_addresses' is equal to '0.0.0.0/0' or '::/0'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Unrestricted Databricks ACL", + "severity": "HIGH", + "line": 10, + "filename": "positive2.tf", + "resourceType": "databricks_ip_access_list", + "resourceName": "positive2", + "searchKey": "databricks_ip_access_list[positive2].ip_addresses", + "searchValue": "", + "expectedValue": "'databricks_ip_access_list[positive2].ip_addresses' should not be equal to '0.0.0.0/0' or '::/0'", + "actualValue": "'databricks_ip_access_list[positive2].ip_addresses' is equal to '0.0.0.0/0' or '::/0'", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/databricks/use_lts_spark_version/test/positive_expected_result.json b/assets/queries/terraform/databricks/use_lts_spark_version/test/positive_expected_result.json index 470a1b1b315..e9d78bea7c7 100644 --- a/assets/queries/terraform/databricks/use_lts_spark_version/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/use_lts_spark_version/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Check use no LTS Spark Version", "severity": "LOW", "line": 8, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "databricks_spark_version", + "resourceName": "postive1_gpu_ml", + "searchKey": "databricks_spark_version[postive1_gpu_ml].long_term_support", + "searchValue": "", + "expectedValue": "'databricks_spark_version[postive1_gpu_ml]' should be a LTS version'", + "actualValue": "'databricks_spark_version[postive1_gpu_ml]' is not a LTS version'", + "issueType": "IncorrectValue" }, { "queryName": "Check use no LTS Spark Version", "severity": "LOW", "line": 11, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "databricks_spark_version", + "resourceName": "positive2_gpu_ml", + "searchKey": "databricks_spark_version[positive2_gpu_ml].long_term_support", + "searchValue": "", + "expectedValue": "'databricks_spark_version[positive2_gpu_ml]' should be a LTS version'", + "actualValue": "'databricks_spark_version[positive2_gpu_ml]' is not a LTS version'", + "issueType": "IncorrectValue" }, { "queryName": "Check use no LTS Spark Version", "severity": "LOW", "line": 10, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "databricks_spark_version", + "resourceName": "positive3_research", + "searchKey": "databricks_cluster[positive3_research].spark_version", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive3_research].spark_version' should be a LTS version'", + "actualValue": "'databricks_cluster[positive3_research].spark_version' is not a LTS version'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json index 435ab8cd80c..98b962bbc60 100644 --- a/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Job's Task is Legacy (spark_submit_task)", - "severity": "MEDIUM", - "line": 36, - "fileName": "positive1.tf" - }, - { - "queryName": "Job's Task is Legacy (spark_submit_task)", - "severity": "MEDIUM", - "line": 18, - "fileName": "positive2.tf" - } + { + "queryName": "Job's Task is Legacy (spark_submit_task)", + "severity": "MEDIUM", + "line": 36, + "filename": "positive1.tf", + "resourceType": "databricks_job", + "resourceName": "Job with multiple tasks", + "searchKey": "databricks_job[positive].task.spark_submit_task", + "searchValue": "", + "expectedValue": "'databricks_job[positive].task.spark_submit_task' should not contains to 'spark_submit_task'", + "actualValue": "'databricks_job[positive].task.spark_submit_task' contains to 'spark_submit_task'", + "issueType": "IncorrectValue" + }, + { + "queryName": "Job's Task is Legacy (spark_submit_task)", + "severity": "MEDIUM", + "line": 18, + "filename": "positive2.tf", + "resourceType": "databricks_job", + "resourceName": "Job with multiple tasks", + "searchKey": "databricks_job[positive].task.spark_submit_task", + "searchValue": "", + "expectedValue": "'databricks_job[positive].task.spark_submit_task' should not contains to 'spark_submit_task'", + "actualValue": "'databricks_job[positive].task.spark_submit_task' contains to 'spark_submit_task'", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/gcp/bigquery_dataset_is_public/test/positive_expected_result.json b/assets/queries/terraform/gcp/bigquery_dataset_is_public/test/positive_expected_result.json index 227af76ed82..6ab98f4fd6c 100644 --- a/assets/queries/terraform/gcp/bigquery_dataset_is_public/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/bigquery_dataset_is_public/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "BigQuery Dataset Is Public", - "severity": "HIGH", - "line": 14 - } + { + "queryName": "BigQuery Dataset Is Public", + "severity": "HIGH", + "line": 14, + "filename": "positive.tf", + "resourceType": "google_bigquery_dataset", + "resourceName": "test", + "searchKey": "google_bigquery_dataset[positive1].access.special_group", + "searchValue": "", + "expectedValue": "'access.special_group' should not equal to 'allAuthenticatedUsers'", + "actualValue": "'access.special_group' is equal to 'allAuthenticatedUsers'", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/metadata.json b/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/metadata.json index 2522abd8e3b..6bec3a60ffe 100644 --- a/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/metadata.json +++ b/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/metadata.json @@ -9,6 +9,5 @@ "descriptionID": "4f60da73", "cloudProvider": "gcp", "cwe": "778", - "riskScore": "3.0", - "experimental": "true" + "riskScore": "3.0" } diff --git a/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive_expected_result.json index bc92565213d..a0e8490f848 100644 --- a/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive_expected_result.json @@ -3,42 +3,91 @@ "queryName": "Beta - Cloud Asset Inventory Disabled", "severity": "MEDIUM", "line": 2, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_project_service", + "resourceName": "positive1_1", + "searchKey": "google_project_service[positive1_1].service", + "searchValue": "", + "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Cloud Asset Inventory Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_project_service", + "resourceName": "positive1_2", + "searchKey": "google_project_service[positive1_2].service", + "searchValue": "", + "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Cloud Asset Inventory Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "google_project_service", + "resourceName": "positive_2", + "searchKey": "google_project_service[positive_2].service", + "searchValue": "", + "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Cloud Asset Inventory Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "google_project_service", + "resourceName": "positive_3", + "searchKey": "google_project_service[positive_3].service", + "searchValue": "", + "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Cloud Asset Inventory Disabled", "severity": "MEDIUM", "line": 7, - "filename": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "google_project_service", + "resourceName": "positive_4", + "searchKey": "google_project_service[positive_4].service", + "searchValue": "", + "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Cloud Asset Inventory Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "google_project_service", + "resourceName": "positive_5", + "searchKey": "google_project_service[positive_5].service", + "searchValue": "", + "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Cloud Asset Inventory Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "google_project_service", + "resourceName": "positive_6", + "searchKey": "google_project_service[positive_6].service", + "searchValue": "", + "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/cloud_dns_without_dnssec/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_dns_without_dnssec/test/positive_expected_result.json index 331cfe387e7..5a091a97c03 100755 --- a/assets/queries/terraform/gcp/cloud_dns_without_dnssec/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_dns_without_dnssec/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "Cloud DNS Without DNSSEC", - "severity": "MEDIUM", - "line": 10 - } + { + "queryName": "Cloud DNS Without DNSSEC", + "severity": "MEDIUM", + "line": 10, + "filename": "positive.tf", + "resourceType": "google_dns_managed_zone", + "resourceName": "foobar", + "searchKey": "google_dns_managed_zone[positive1].dnssec_config.state", + "searchValue": "", + "expectedValue": "'dnssec_config.state' should equal to 'on'", + "actualValue": "'dnssec_config.state' is not equal to 'on'", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json index 37abd5f3a06..eaea1c8d870 100644 --- a/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "google_storage_bucket_iam_binding", + "resourceName": "positive1", + "searchKey": "google_storage_bucket_iam_binding[positive1].members", + "searchValue": "", + "expectedValue": "'google_storage_bucket_iam_binding[positive1].members' should not be null", + "actualValue": "'google_storage_bucket_iam_binding[positive1].members' is null", + "issueType": "IncorrectValue" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "google_storage_bucket_iam_binding", + "resourceName": "positive2", + "searchKey": "google_storage_bucket_iam_binding[positive2].members", + "searchValue": "", + "expectedValue": "'google_storage_bucket_iam_binding[positive2].members' should not have 'allUsers'", + "actualValue": "'google_storage_bucket_iam_binding[positive2].members' has 'allUsers'", + "issueType": "IncorrectValue" }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 17 + "line": 17, + "filename": "positive.tf", + "resourceType": "google_storage_bucket_iam_binding", + "resourceName": "positive3", + "searchKey": "google_storage_bucket_iam_binding[positive3].members", + "searchValue": "", + "expectedValue": "'google_storage_bucket_iam_binding[positive3].members' should not have 'allAuthenticatedUsers'", + "actualValue": "'google_storage_bucket_iam_binding[positive3].members' has 'allAuthenticatedUsers'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json index e6f735ed5d3..608efe833c7 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Cloud Storage Bucket Is Publicly Accessible", "severity": "MEDIUM", - "line": 4 + "line": 4, + "filename": "positive.tf", + "resourceType": "google_storage_bucket_iam_member", + "resourceName": "positive1", + "searchKey": "google_storage_bucket_iam_member[positive1].member", + "searchValue": "", + "expectedValue": "'member' not equal to 'allUsers' nor 'allAuthenticatedUsers'", + "actualValue": "'member' equal to 'allUsers'", + "issueType": "IncorrectValue" }, { "queryName": "Cloud Storage Bucket Is Publicly Accessible", "severity": "MEDIUM", - "line": 17 + "line": 17, + "filename": "positive.tf", + "resourceType": "google_storage_bucket_iam_member", + "resourceName": "positive2", + "searchKey": "google_storage_bucket_iam_member[positive2].members", + "searchValue": "", + "expectedValue": "None of the 'members' equal to 'allUsers' nor 'allAuthenticatedUsers'", + "actualValue": "One of the 'members' equal to 'allUsers' or 'allAuthenticatedUsers'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json index 01998d13ef7..f233536a73d 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Cloud Storage Bucket Logging Not Enabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_storage_bucket", + "resourceName": "auto-expiring-bucket", + "searchKey": "google_storage_bucket[positive1]", + "searchValue": "", + "expectedValue": "'google_storage_bucket.logging' should be set", + "actualValue": "'google_storage_bucket.logging' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json index af8d756621b..23380919c6d 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Cloud Storage Bucket Versioning Disabled", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive.tf", + "resourceType": "google_storage_bucket", + "resourceName": "foo", + "searchKey": "google_storage_bucket[positive1].versioning.enabled", + "searchValue": "", + "expectedValue": "'versioning.enabled' should be true", + "actualValue": "'versioning.enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "Cloud Storage Bucket Versioning Disabled", "severity": "MEDIUM", - "line": 10 + "line": 10, + "filename": "positive.tf", + "resourceType": "google_storage_bucket", + "resourceName": "foo", + "searchKey": "google_storage_bucket[positive2]", + "searchValue": "", + "expectedValue": "'versioning' should be defined and not null", + "actualValue": "'versioning' it undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/cluster_labels_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/cluster_labels_disabled/test/positive_expected_result.json index 42d70de1c7a..b003a6fe6dc 100644 --- a/assets/queries/terraform/gcp/cluster_labels_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cluster_labels_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Cluster Labels Disabled", "severity": "LOW", - "line": 2 + "line": 2, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'resource_labels' should be defined", + "actualValue": "Attribute 'resource_labels' is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/test/positive_expected_result.json index 58bbf39ea53..c21b85e4e19 100644 --- a/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Beta - Cluster Without Network Policy Support Enabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "gke-network-policy-cluster", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "'google_container_cluster[positive1].network_policy' should be defined and not null", + "actualValue": "'google_container_cluster[positive1].network_policy' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Cluster Without Network Policy Support Enabled", "severity": "MEDIUM", - "line": 17 + "line": 17, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "gke-network-policy-cluster", + "searchKey": "google_container_cluster[positive2].network_policy.enabled", + "searchValue": "", + "expectedValue": "'google_container_cluster[positive2].network_policy.enabled' should be set to 'true'", + "actualValue": "'google_container_cluster[positive2].network_policy.enabled' is set to 'false'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/cos_node_image_not_used/test/positive_expected_result.json b/assets/queries/terraform/gcp/cos_node_image_not_used/test/positive_expected_result.json index 893e73a5d31..4b68429ca8f 100644 --- a/assets/queries/terraform/gcp/cos_node_image_not_used/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cos_node_image_not_used/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "COS Node Image Not Used", "severity": "LOW", - "line": 16 + "line": 16, + "filename": "positive.tf", + "resourceType": "google_container_node_pool", + "resourceName": "primary-pool", + "searchKey": "google_container_node_pool[positive2].node_config.image_type", + "searchValue": "", + "expectedValue": "'node_config.image_type' should start with 'COS'", + "actualValue": "'node_config.image_type' does not start with 'COS'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/disk_encryption_disabled/test/positive_expected_result.json index db3426b9872..a5c1337e44b 100644 --- a/assets/queries/terraform/gcp/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/disk_encryption_disabled/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_compute_disk", + "resourceName": "test-disk", + "searchKey": "google_compute_disk[positive1]", + "searchValue": "", + "expectedValue": "'google_compute_disk[positive1].disk_encryption_key' should be defined and not null", + "actualValue": "'google_compute_disk[positive1].disk_encryption_key' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 22, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_compute_disk", + "resourceName": "test-disk", + "searchKey": "google_compute_disk[positive2].disk_encryption_key", + "searchValue": "", + "expectedValue": "'google_compute_disk[positive2].disk_encryption_key.raw_key' or 'google_compute_disk[%!s(MISSING)].disk_encryption_key.kms_key_self_link' should be defined and not null", + "actualValue": "'google_compute_disk[positive2].disk_encryption_key.raw_key' and 'google_compute_disk[%!s(MISSING)].disk_encryption_key.kms_key_self_link' are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 12, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "google_compute_disk", + "resourceName": "test-disk", + "searchKey": "google_compute_disk[positive3].disk_encryption_key.raw_key", + "searchValue": "", + "expectedValue": "'google_compute_disk[positive3].disk_encryption_key.raw_key' should not be empty or null", + "actualValue": "'google_compute_disk[positive3].disk_encryption_key.raw_key' is not empty or null", + "issueType": "IncorrectValue" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 12, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "google_compute_disk", + "resourceName": "test-disk", + "searchKey": "google_compute_disk[positive4].disk_encryption_key.kms_key_self_link", + "searchValue": "", + "expectedValue": "'google_compute_disk[positive4].disk_encryption_key.kms_key_self_link' should not be empty or null", + "actualValue": "'google_compute_disk[positive4].disk_encryption_key.kms_key_self_link' is not empty or null", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/dnssec_using_rsasha1/test/positive_expected_result.json b/assets/queries/terraform/gcp/dnssec_using_rsasha1/test/positive_expected_result.json index e62c82567da..3d32eeae072 100644 --- a/assets/queries/terraform/gcp/dnssec_using_rsasha1/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/dnssec_using_rsasha1/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "DNSSEC Using RSASHA1", "severity": "MEDIUM", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "google_dns_managed_zone", + "resourceName": "positive1", + "searchKey": "google_dns_managed_zone[positive1].dnssec_config.default_key_specs.algorithm", + "searchValue": "", + "expectedValue": "dnssec_config.default_key_specs.algorithm shouldn't be 'rsasha1'", + "actualValue": "dnssec_config.default_key_specs.algorithm is 'rsasha1'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive_expected_result.json b/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive_expected_result.json index 7d7a85318de..e05a3f56376 100644 --- a/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization", "severity": "LOW", "line": 10, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_essential_contacts_contact", + "resourceName": "positive1", + "searchKey": "google_essential_contacts_contact[positive1].notification_category_subscription_field", + "searchValue": "", + "expectedValue": "'notification_category_subscription_field' should have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization", "severity": "LOW", "line": 10, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "google_essential_contacts_contact", + "resourceName": "positive2", + "searchKey": "google_essential_contacts_contact[positive2].notification_category_subscription_field", + "searchValue": "", + "expectedValue": "'notification_category_subscription_field' should have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization", "severity": "LOW", "line": 6, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "google_essential_contacts_contact", + "resourceName": "positive3", + "searchKey": "google_essential_contacts_contact[positive3].notification_category_subscription_field", + "searchValue": "", + "expectedValue": "'notification_category_subscription_field' should have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization", "severity": "LOW", "line": 6, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "google_essential_contacts_contact", + "resourceName": "positive4", + "searchKey": "google_essential_contacts_contact[positive4].notification_category_subscription_field", + "searchValue": "", + "expectedValue": "'notification_category_subscription_field' should have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/test/positive_expected_result.json b/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/test/positive_expected_result.json index aecabd2ef92..da19deb875e 100644 --- a/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Beta - Ensure GKE Version Management Is Automated Using Release Channels", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_container_cluster", + "resourceName": "my-gke-cluster", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "'channel' should be defined to 'STABLE' or 'REGULAR' inside the 'release_channel' block", + "actualValue": "'release_channel' block is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Ensure GKE Version Management Is Automated Using Release Channels", "severity": "LOW", "line": 6, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "google_container_cluster", + "resourceName": "my-gke-cluster", + "searchKey": "google_container_cluster[positive2].release_channel.channel", + "searchValue": "", + "expectedValue": "'channel' should be defined to 'STABLE' or 'REGULAR' inside the 'release_channel' block", + "actualValue": "'release_channel.channel' is defined to 'UNSPECIFIED'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Ensure GKE Version Management Is Automated Using Release Channels", "severity": "LOW", "line": 6, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "google_container_cluster", + "resourceName": "my-gke-cluster", + "searchKey": "google_container_cluster[positive3].release_channel.channel", + "searchValue": "", + "expectedValue": "'channel' should be defined to 'STABLE' or 'REGULAR' inside the 'release_channel' block", + "actualValue": "'release_channel.channel' is defined to 'RAPID'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Ensure GKE Version Management Is Automated Using Release Channels", "severity": "LOW", "line": 6, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "google_container_cluster", + "resourceName": "my-gke-cluster", + "searchKey": "google_container_cluster[positive4].release_channel.channel", + "searchValue": "", + "expectedValue": "'channel' should be defined to 'STABLE' or 'REGULAR' inside the 'release_channel' block", + "actualValue": "'release_channel.channel' is defined to 'EXTENDED'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json index d36000f3652..c97eec51bcb 100644 --- a/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "GKE Legacy Authorization Enabled", "severity": "HIGH", - "line": 6 + "line": 6, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1].enable_legacy_abac", + "searchValue": "", + "expectedValue": "Attribute 'enable_legacy_abac' should be set to false", + "actualValue": "Attribute 'enable_legacy_abac' is true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/gke_using_default_service_account/test/positive_expected_result.json b/assets/queries/terraform/gcp/gke_using_default_service_account/test/positive_expected_result.json index e781a03f475..2d68e3c1810 100644 --- a/assets/queries/terraform/gcp/gke_using_default_service_account/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/gke_using_default_service_account/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "GKE Using Default Service Account", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_container_cluster", + "resourceName": "my-gke-cluster", + "searchKey": "google_container_cluster[positive1].node_config", + "searchValue": "", + "expectedValue": "'service_account' should not be default", + "actualValue": "'service_account' is default", + "issueType": "IncorrectValue" }, { "queryName": "GKE Using Default Service Account", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "google_container_cluster", + "resourceName": "my-gke-cluster", + "searchKey": "google_container_cluster[positive2].node_config.service_account", + "searchValue": "", + "expectedValue": "'service_account' should not be default", + "actualValue": "'service_account' is default", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json index 9366231c0bb..204e0e1189a 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Google Compute Network Using Default Firewall Rule", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive.tf" - } + { + "queryName": "Google Compute Network Using Default Firewall Rule", + "severity": "MEDIUM", + "line": 6, + "filename": "positive.tf", + "resourceType": "google_compute_network", + "resourceName": "test-network", + "searchKey": "google_compute_network[positive1]", + "searchValue": "", + "expectedValue": "'google_compute_network[positive1]' should not be using a default firewall rule", + "actualValue": "'google_compute_network[positive1]' is using a default firewall rule", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json index 6a20d45ece2..89fb4db968d 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Google Compute Network Using Firewall Rule that Allows All Ports", - "severity": "MEDIUM", - "line": 17, - "fileName": "positive.tf" - } + { + "queryName": "Google Compute Network Using Firewall Rule that Allows All Ports", + "severity": "MEDIUM", + "line": 17, + "filename": "positive.tf", + "resourceType": "google_compute_network", + "resourceName": "test-network", + "searchKey": "google_compute_network[positive1]", + "searchValue": "", + "expectedValue": "'google_compute_network[positive1]' should not be using a firewall rule that allows access to all ports", + "actualValue": "'google_compute_network[positive1]' is using a firewall rule that allows access to all ports", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/test/positive_expected_result.json index 0aca9fb3041..802d7d959ba 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Google Compute Network Using Firewall Rule that Allows Port Range", "severity": "LOW", "line": 17, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "google_compute_network", + "resourceName": "test-network", + "searchKey": "google_compute_network[positive1]", + "searchValue": "", + "expectedValue": "'google_compute_network[positive1]' should not be using a firewall rule that allows access to port range", + "actualValue": "'google_compute_network[positive1]' is using a firewall rule that allows access to port range", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json index f00a4dda68f..fb5c85bd02c 100644 --- a/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Google Compute SSL Policy Weak Cipher In Use", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.tf", + "resourceType": "google_compute_ssl_policy", + "resourceName": "custom-ssl-policy", + "searchKey": "google_compute_ssl_policy[positive1].min_tls_version", + "searchValue": "", + "expectedValue": "google_compute_ssl_policy[positive1].min_tls_version should be TLS_1_2", + "actualValue": "google_compute_ssl_policy[positive1].min_tls_version is not TLS_1_2", + "issueType": "IncorrectValue" }, { "queryName": "Google Compute SSL Policy Weak Cipher In Use", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "google_compute_ssl_policy", + "resourceName": "custom-ssl-policy", + "searchKey": "google_compute_ssl_policy[positive2].min_tls_version", + "searchValue": "", + "expectedValue": "google_compute_ssl_policy[positive2].min_tls_version should be TLS_1_2", + "actualValue": "google_compute_ssl_policy[positive2].min_tls_version is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/test/positive_expected_result.json index 22bb34d3a69..baa5d6434b1 100644 --- a/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Google Compute Subnetwork Logging Disabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_compute_subnetwork", + "resourceName": "log-test-subnetwork", + "searchKey": "google_compute_subnetwork[positive1]", + "searchValue": "", + "expectedValue": "'google_compute_subnetwork[positive1].log_config' should be defined and not null", + "actualValue": "'google_compute_subnetwork[positive1].log_config' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json index 3f44181858e..5a549037366 100644 --- a/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Google Compute Subnetwork with Private Google Access Disabled", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_compute_subnetwork", + "resourceName": "test-subnetwork", + "searchKey": "google_compute_subnetwork[positive1]", + "searchValue": "", + "expectedValue": "'google_compute_subnetwork[positive1].private_ip_google_access' should be defined and not null", + "actualValue": "'google_compute_subnetwork[positive1].private_ip_google_access' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Google Compute Subnetwork with Private Google Access Disabled", "severity": "LOW", "line": 10, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "google_compute_subnetwork", + "resourceName": "test-subnetwork", + "searchKey": "google_compute_subnetwork[positive2].private_ip_google_access", + "searchValue": "", + "expectedValue": "'google_compute_subnetwork[positive2].private_ip_google_access' should be set to true", + "actualValue": "'google_compute_subnetwork[positive2].private_ip_google_access' is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json index c65451aec83..d06be56f71b 100644 --- a/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive.tf", + "resourceType": "google_container_node_pool", + "resourceName": "my-node-pool", + "searchKey": "google_container_node_pool[positive2].management.auto_repair", + "searchValue": "", + "expectedValue": "google_container_node_pool[positive2].management.auto_repair should be true", + "actualValue": "google_container_node_pool[positive2].management.auto_repair is false", + "issueType": "IncorrectValue" }, { "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", - "line": 19 + "line": 19, + "filename": "positive.tf", + "resourceType": "google_container_node_pool", + "resourceName": "my-node-pool", + "searchKey": "google_container_node_pool[positive3].management", + "searchValue": "", + "expectedValue": "google_container_node_pool[positive3].management.auto_repair should be defined and not null", + "actualValue": "google_container_node_pool[positive3].management.auto_repair is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/test/positive_expected_result.json index 437c9a69345..5e000bcc8a5 100644 --- a/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Beta - Google DNS Policy Logging Disabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_dns_policy", + "resourceName": "example-policy", + "searchKey": "google_dns_policy[example-policy]", + "searchValue": "", + "expectedValue": "'google_dns_policy[example-policy].enable_logging' should be defined and set to true", + "actualValue": "'google_dns_policy[example-policy].enable_logging' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Google DNS Policy Logging Disabled", "severity": "MEDIUM", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "google_dns_policy", + "resourceName": "example-policy-2", + "searchKey": "google_dns_policy[example-policy-2].enable_logging", + "searchValue": "", + "expectedValue": "'google_dns_policy[example-policy-2].enable_logging' should be defined and set to true", + "actualValue": "'google_dns_policy[example-policy-2].enable_logging' is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/google_kubernetes_engine_cluster_has_alpha_features_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_kubernetes_engine_cluster_has_alpha_features_enabled/test/positive_expected_result.json index e3d8c46a398..ebe185c64bf 100644 --- a/assets/queries/terraform/gcp/google_kubernetes_engine_cluster_has_alpha_features_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_kubernetes_engine_cluster_has_alpha_features_enabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Beta - Google Kubernetes Engine Cluster Has Alpha Features Enabled", "severity": "LOW", "line": 4, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "pud-example-rg", + "searchKey": "google_container_cluster[positive].enable_kubernetes_alpha", + "searchValue": "", + "expectedValue": "'enable_kubernetes_alpha' should only be defined to 'false'", + "actualValue": "'enable_kubernetes_alpha' is defined to 'true'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/test/positive_expected_result.json index 20775ac6816..7839b924700 100644 --- a/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Google Project Auto Create Network Disabled", "severity": "MEDIUM", - "line": 8 + "line": 5, + "filename": "positive.tf", + "resourceType": "google_project", + "resourceName": "My Project", + "searchKey": "google_project[positive1].auto_create_network", + "searchValue": "", + "expectedValue": "google_project[positive1].auto_create_network should be set to false", + "actualValue": "google_project[positive1].auto_create_network is true", + "issueType": "IncorrectValue" }, { "queryName": "Google Project Auto Create Network Disabled", "severity": "MEDIUM", - "line": 5 + "line": 8, + "filename": "positive.tf", + "resourceType": "google_project", + "resourceName": "My Project", + "searchKey": "google_project[positive2]", + "searchValue": "", + "expectedValue": "google_project[positive2].auto_create_network should be set to false", + "actualValue": "google_project[positive2].auto_create_network is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json index 9879c8c4b8b..609582034f6 100644 --- a/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json @@ -2,21 +2,53 @@ { "queryName": "Google Project IAM Binding Service Account has Token Creator or Account User Role", "severity": "HIGH", - "line": 3 + "line": 3, + "filename": "positive.tf", + "resourceType": "google_project_iam_binding", + "resourceName": "positive1", + "searchKey": "google_project_iam_binding[positive1].role", + "searchValue": "", + "expectedValue": "google_project_iam_binding[positive1].role should not be Service Account Token Creator", + "actualValue": "google_project_iam_binding[positive1].role is Service Account Token Creator", + "issueType": "IncorrectValue" }, { "queryName": "Google Project IAM Binding Service Account has Token Creator or Account User Role", "severity": "HIGH", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "google_project_iam_binding", + "resourceName": "positive2", + "searchKey": "google_project_iam_binding[positive2].role", + "searchValue": "", + "expectedValue": "google_project_iam_binding[positive2].role should not be Service Account Token Creator", + "actualValue": "google_project_iam_binding[positive2].role is Service Account Token Creator", + "issueType": "IncorrectValue" }, { "queryName": "Google Project IAM Binding Service Account has Token Creator or Account User Role", "severity": "HIGH", - "line": 19 + "line": 19, + "filename": "positive.tf", + "resourceType": "google_project_iam_binding", + "resourceName": "positive3", + "searchKey": "google_project_iam_binding[positive3].role", + "searchValue": "", + "expectedValue": "google_project_iam_binding[positive3].role should not be Service Account User", + "actualValue": "google_project_iam_binding[positive3].role is Service Account User", + "issueType": "IncorrectValue" }, { "queryName": "Google Project IAM Binding Service Account has Token Creator or Account User Role", "severity": "HIGH", - "line": 29 + "line": 29, + "filename": "positive.tf", + "resourceType": "google_project_iam_binding", + "resourceName": "positive4", + "searchKey": "google_project_iam_binding[positive4].role", + "searchValue": "", + "expectedValue": "google_project_iam_binding[positive4].role should not be Service Account User", + "actualValue": "google_project_iam_binding[positive4].role is Service Account User", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/test/positive_expected_result.json index 74849105787..cf3cd655850 100644 --- a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Google Project IAM Member Service Account Has Admin Role", "severity": "HIGH", - "line": 3 + "line": 3, + "filename": "positive.tf", + "resourceType": "google_project_iam_member", + "resourceName": "positive1", + "searchKey": "google_project_iam_member[positive1].role", + "searchValue": "", + "expectedValue": "google_project_iam_member[positive1].role should not be admin", + "actualValue": "google_project_iam_member[positive1].role is admin", + "issueType": "IncorrectValue" }, { "queryName": "Google Project IAM Member Service Account Has Admin Role", "severity": "HIGH", - "line": 9 + "line": 9, + "filename": "positive.tf", + "resourceType": "google_project_iam_member", + "resourceName": "positive2", + "searchKey": "google_project_iam_member[positive2].role", + "searchValue": "", + "expectedValue": "google_project_iam_member[positive2].role should not be admin", + "actualValue": "google_project_iam_member[positive2].role is admin", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json index 1c8cd5e2d32..6ab76f699d3 100644 --- a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Google Project IAM Member Service Account has Token Creator or Account User Role", "severity": "HIGH", - "line": 3 + "line": 3, + "filename": "positive.tf", + "resourceType": "google_project_iam_member", + "resourceName": "positive1", + "searchKey": "google_project_iam_member[positive1].role", + "searchValue": "", + "expectedValue": "google_project_iam_member[positive1].role should be Service Account Token Creator", + "actualValue": "google_project_iam_member[positive1].role is not Service Account Token Creator", + "issueType": "IncorrectValue" }, { "queryName": "Google Project IAM Member Service Account has Token Creator or Account User Role", "severity": "HIGH", - "line": 9 + "line": 9, + "filename": "positive.tf", + "resourceType": "google_project_iam_member", + "resourceName": "positive2", + "searchKey": "google_project_iam_member[positive2].role", + "searchValue": "", + "expectedValue": "google_project_iam_member[positive2].role should be Service Account User", + "actualValue": "google_project_iam_member[positive2].role is not Service Account User", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json index dfbb79594bf..0dfc67ee9e2 100644 --- a/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Google Storage Bucket Level Access Disabled", "severity": "HIGH", - "line": 6 + "line": 6, + "filename": "positive.tf", + "resourceType": "google_storage_bucket", + "resourceName": "image-store.com", + "searchKey": "google_storage_bucket[positive1].uniform_bucket_level_access", + "searchValue": "", + "expectedValue": "google_storage_bucket[positive1].uniform_bucket_level_access should be true", + "actualValue": "google_storage_bucket[positive1].uniform_bucket_level_access is false", + "issueType": "IncorrectValue" }, { "queryName": "Google Storage Bucket Level Access Disabled", "severity": "HIGH", - "line": 20 + "line": 20, + "filename": "positive.tf", + "resourceType": "google_storage_bucket", + "resourceName": "image-store.com", + "searchKey": "google_storage_bucket[positive2]", + "searchValue": "", + "expectedValue": "google_storage_bucket[positive2].uniform_bucket_level_access should be defined and not null", + "actualValue": "google_storage_bucket[positive2].uniform_bucket_level_access is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json b/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json index 748598a9f3a..2a4c61f06ac 100644 --- a/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "High Google KMS Crypto Key Rotation Period", "severity": "MEDIUM", - "line": 4 + "line": 4, + "filename": "positive.tf", + "resourceType": "google_kms_crypto_key", + "resourceName": "crypto-key-example", + "searchKey": "google_kms_crypto_key[positive1].rotation_period", + "searchValue": "", + "expectedValue": "'google_kms_crypto_key.rotation_period' should be less or equal to 7776000", + "actualValue": "'google_kms_crypto_key.rotation_period' exceeds 7776000", + "issueType": "IncorrectValue" }, { "queryName": "High Google KMS Crypto Key Rotation Period", "severity": "MEDIUM", - "line": 10 + "line": 10, + "filename": "positive.tf", + "resourceType": "google_kms_crypto_key", + "resourceName": "crypto-key-example", + "searchKey": "google_kms_crypto_key[positive2]", + "searchValue": "", + "expectedValue": "'google_kms_crypto_key.rotation_period' should be defined with a value less or equal to 7776000", + "actualValue": "'google_kms_crypto_key.rotation_period' is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/gcp/iam_audit_not_properly_configured/test/positive_expected_result.json b/assets/queries/terraform/gcp/iam_audit_not_properly_configured/test/positive_expected_result.json index c22fd7d0919..b22f9fb9ac7 100644 --- a/assets/queries/terraform/gcp/iam_audit_not_properly_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/iam_audit_not_properly_configured/test/positive_expected_result.json @@ -2,21 +2,53 @@ { "queryName": "IAM Audit Not Properly Configured", "severity": "LOW", - "line": 3 + "line": 3, + "filename": "positive.tf", + "resourceType": "google_project_iam_audit_config", + "resourceName": "positive1", + "searchKey": "google_project_iam_audit_config[positive1].service", + "searchValue": "", + "expectedValue": "'service' must be 'allServices'", + "actualValue": "'service' is 'some_specific_service'", + "issueType": "IncorrectValue" }, { "queryName": "IAM Audit Not Properly Configured", "severity": "LOW", - "line": 9 + "line": 9, + "filename": "positive.tf", + "resourceType": "google_project_iam_audit_config", + "resourceName": "positive1", + "searchKey": "google_project_iam_audit_config[positive1].audit_log_config.exempted_members", + "searchValue": "", + "expectedValue": "'exempted_members' should be empty", + "actualValue": "'exempted_members' is not empty", + "issueType": "IncorrectValue" }, { "queryName": "IAM Audit Not Properly Configured", "severity": "LOW", - "line": 19 + "line": 19, + "filename": "positive.tf", + "resourceType": "google_project_iam_audit_config", + "resourceName": "positive2", + "searchKey": "google_project_iam_audit_config[positive2].audit_log_config.log_type", + "searchValue": "", + "expectedValue": "'log_type' must be one of 'DATA_READ', 'DATA_WRITE', or 'ADMIN_READ'", + "actualValue": "'log_type' is INVALID_TYPE", + "issueType": "IncorrectValue" }, { "queryName": "IAM Audit Not Properly Configured", "severity": "LOW", - "line": 23 + "line": 23, + "filename": "positive.tf", + "resourceType": "google_project_iam_audit_config", + "resourceName": "positive2", + "searchKey": "google_project_iam_audit_config[positive2].audit_log_config.exempted_members", + "searchValue": "", + "expectedValue": "'exempted_members' should be empty", + "actualValue": "'exempted_members' is not empty", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/ip_aliasing_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/ip_aliasing_disabled/test/positive_expected_result.json index 7aeca99b89a..926e63436e5 100644 --- a/assets/queries/terraform/gcp/ip_aliasing_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ip_aliasing_disabled/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "Attributes 'ip_allocation_policy' and 'networking_mode' should be defined", + "actualValue": "Attributes 'ip_allocation_policy' and 'networking_mode' are undefined", + "issueType": "MissingAttribute" }, { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2]", + "searchValue": "", + "expectedValue": "Attribute 'ip_allocation_policy' should be defined", + "actualValue": "Attribute 'ip_allocation_policy' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", - "line": 26 + "line": 26, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive3]", + "searchValue": "", + "expectedValue": "Attribute 'networking_mode' should be VPC_NATIVE", + "actualValue": "Attribute 'networking_mode' is ROUTES", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/ip_forwarding_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/ip_forwarding_enabled/test/positive_expected_result.json index e88a3bf1ab4..a5d47289805 100644 --- a/assets/queries/terraform/gcp/ip_forwarding_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ip_forwarding_enabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "IP Forwarding Enabled", "severity": "MEDIUM", - "line": 4 + "line": 4, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver].can_ip_forward", + "searchValue": "", + "expectedValue": "Attribute 'can_ip_forward' should be set to false or Attribute 'can_ip_forward' should be undefined", + "actualValue": "Attribute 'can_ip_forward' is true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/test/positive_expected_result.json b/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/test/positive_expected_result.json index e42c4e728af..5a303618d58 100644 --- a/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "KMS Admin and CryptoKey Roles In Use", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_project_iam_policy", + "resourceName": "positive1", + "searchKey": "google_project_iam_policy[positive1].policy_data", + "searchValue": "", + "expectedValue": "google_iam_policy[positive1].policy_data should not assign a KMS admin role and CryptoKey role to the same member", + "actualValue": "google_iam_policy[positive1].policy_data assigns a KMS admin role and CryptoKey role to the same member", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/test/positive_expected_result.json index ae82865f667..e9184b997ec 100644 --- a/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "KMS Crypto Key is Publicly Accessible", "severity": "HIGH", "line": 24, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_kms_crypto_key_iam_policy", + "resourceName": "positive1", + "searchKey": "google_kms_crypto_key_iam_policy[positive1].policy_data", + "searchValue": "", + "expectedValue": "KMS crypto key should not be publicly accessible", + "actualValue": "KMS crypto key is publicly accessible", + "issueType": "IncorrectValue" }, { "queryName": "KMS Crypto Key is Publicly Accessible", "severity": "HIGH", "line": 24, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "google_kms_crypto_key_iam_policy", + "resourceName": "positive2", + "searchKey": "google_kms_crypto_key_iam_policy[positive2].policy_data", + "searchValue": "", + "expectedValue": "KMS crypto key should not be publicly accessible", + "actualValue": "KMS crypto key is publicly accessible", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/test/positive_expected_result.json index caebb0a4b0c..55062e0154c 100644 --- a/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "Beta - Kubernetes Web UI Is Not Disabled", "severity": "LOW", "line": 8, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1].addons_config.kubernetes_dashboard.disabled", + "searchValue": "", + "expectedValue": "'kuberneters_dashboard' should not be enabled inside the 'addons_config block'", + "actualValue": "'kuberneters_dashboard' is enabled inside the 'addons_config block'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Kubernetes Web UI Is Not Disabled", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2]", + "searchValue": "", + "expectedValue": "'kubernetes_dashboard' should be defined and disabled inside the 'addons_config_version' block for GKE versions below 1.10", + "actualValue": "'addons_config' block is not defined with the 'kubernetes_dashboard' disabled", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Kubernetes Web UI Is Not Disabled", "severity": "LOW", "line": 6, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive3].addons_config", + "searchValue": "", + "expectedValue": "'kubernetes_dashboard' should be defined and disabled inside the 'addons_config_version' block for GKE versions below 1.10", + "actualValue": "'kubernetes_dashboard' is not defined inside the 'addons_config_version' block", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Kubernetes Web UI Is Not Disabled", "severity": "LOW", "line": 8, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive4].addons_config.kubernetes_dashboard.disabled", + "searchValue": "", + "expectedValue": "'kuberneters_dashboard' should not be enabled inside the 'addons_config block'", + "actualValue": "'kuberneters_dashboard' is enabled inside the 'addons_config block'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Kubernetes Web UI Is Not Disabled", "severity": "LOW", "line": 9, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive5].addons_config.kubernetes_dashboard.disabled", + "searchValue": "", + "expectedValue": "'kuberneters_dashboard' should not be enabled inside the 'addons_config block'", + "actualValue": "'kuberneters_dashboard' is enabled inside the 'addons_config block'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/test/positive_expected_result.json index c979a788738..d0dfbe2664b 100644 --- a/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Legacy Client Certificate Auth Enabled", "severity": "LOW", "line": 7, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1].master_auth", + "searchValue": "", + "expectedValue": "If 'master_auth' is defined, subattribute 'client_certificate_config' should be defined", + "actualValue": "Attribute 'client_certificate_config' in 'master_auth' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Legacy Client Certificate Auth Enabled", "severity": "LOW", "line": 24, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2].master_auth.client_certificate_config.issue_client_certificate", + "searchValue": "", + "expectedValue": "Attribute 'issue_client_certificate' in 'client_certificate_config' should be false", + "actualValue": "Attribute 'issue_client_certificate' in 'client_certificate_config' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/test/positive_expected_result.json b/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/test/positive_expected_result.json index 5bac758f86c..cc87d61371c 100644 --- a/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_compute_network", + "resourceName": "vpc-legacy", + "searchKey": "google_compute_network[vpc_network_network].auto_create_subnetworks", + "searchValue": "", + "expectedValue": "'auto_create_subnetworks' should be defined to false", + "actualValue": "'auto_create_subnetworks' is defined to true", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", "line": 14, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "google_compute_network", + "resourceName": "legacy-network", + "searchKey": "google_compute_network[legacy_network].auto_create_subnetworks", + "searchValue": "", + "expectedValue": "'auto_create_subnetworks' should be defined to false", + "actualValue": "'auto_create_subnetworks' is defined to true", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", "line": 14, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "google_compute_network", + "resourceName": "legacy-network", + "searchKey": "google_compute_network[legacy_network].auto_create_subnetworks", + "searchValue": "", + "expectedValue": "'auto_create_subnetworks' should be defined to false", + "actualValue": "'auto_create_subnetworks' is defined to true", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", "line": 7, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "google_compute_network", + "resourceName": "vpc-legacy", + "searchKey": "google_compute_network[vpc_network_network]", + "searchValue": "", + "expectedValue": "'auto_create_subnetworks' should be defined to false", + "actualValue": "'auto_create_subnetworks' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", "line": 12, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "google_compute_network", + "resourceName": "legacy-network", + "searchKey": "google_compute_network[legacy_network]", + "searchValue": "", + "expectedValue": "'auto_create_subnetworks' should be defined to false", + "actualValue": "'auto_create_subnetworks' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", "line": 12, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "google_compute_network", + "resourceName": "legacy-network", + "searchKey": "google_compute_network[legacy_network]", + "searchValue": "", + "expectedValue": "'auto_create_subnetworks' should be defined to false", + "actualValue": "'auto_create_subnetworks' is not defined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/test/positive_expected_result.json b/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/test/positive_expected_result.json index 31f830c43f3..227ad67914a 100644 --- a/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/test/positive_expected_result.json @@ -3,66 +3,143 @@ "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", - "line": 7, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive10.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", - "line": 7, - "fileName": "positive3.tf" + "line": 1, + "filename": "positive11.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 7, - "fileName": "positive4.tf" + "filename": "positive2.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures all audit configuration changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", - "line": 1, - "fileName": "positive5.tf" + "line": 7, + "filename": "positive3.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert (Log Match)", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_matched_log.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures all audit configuration changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", - "line": 1, - "fileName": "positive6.tf" + "line": 7, + "filename": "positive4.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all audit configuration changes but does not define a proper 'notification_channels'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive7.tf" + "filename": "positive5.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert (Log Match)", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all audit configuration changes but does not define a proper 'notification_channels'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive8.tf" + "filename": "positive6.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures all audit configuration changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive9.tf" + "filename": "positive7.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive10.tf" + "filename": "positive8.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive11.tf" + "filename": "positive9.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/test/positive_expected_result.json b/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/test/positive_expected_result.json index 9e27031c977..5fc2d907944 100644 --- a/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/test/positive_expected_result.json @@ -3,54 +3,117 @@ "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all custom role changes", + "actualValue": "'google_logging_metric[audit_config_change].filter' is applied to the wrong resource type", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 13, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures all custom role changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 13, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert (Log Match)", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_matched_log.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures all custom role changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 13, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all custom role changes but does not define a proper 'notification_channels'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive5.tf" + "filename": "positive5.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert (Log Match)", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all custom role changes but does not define a proper 'notification_channels'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive6.tf" + "filename": "positive6.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures all custom role changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive7.tf" + "filename": "positive7.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all custom role changes", + "actualValue": "'google_logging_metric[audit_config_change].filter' is applied to the wrong resource type", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive8.tf" + "filename": "positive8.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change_1", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all custom role changes", + "actualValue": "'google_logging_metric[audit_config_change].filter' does not capture all custom role changes for resource type 'iam_role'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive9.tf" + "filename": "positive9.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all custom role changes", + "actualValue": "'google_logging_metric[audit_config_change].filter' does not capture all custom role changes for resource type 'iam_role'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/test/positive_expected_result.json b/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/test/positive_expected_result.json index 3b5d13ac9cb..7bc772a93cb 100644 --- a/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/test/positive_expected_result.json @@ -3,84 +3,182 @@ "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", - "line": 14, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive10.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", - "line": 14, - "fileName": "positive3.tf" + "line": 1, + "filename": "positive11.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", - "line": 14, - "fileName": "positive4.tf" + "line": 1, + "filename": "positive12.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive5.tf" + "filename": "positive13.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive6.tf" + "filename": "positive14.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", - "line": 1, - "fileName": "positive7.tf" + "line": 14, + "filename": "positive2.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", - "line": 1, - "fileName": "positive8.tf" + "line": 14, + "filename": "positive3.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert (Log Match)", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_matched_log.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", - "line": 1, - "fileName": "positive9.tf" + "line": 14, + "filename": "positive4.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures project ownership assignment and changes but does not define a proper 'notification_channels'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive10.tf" + "filename": "positive5.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert (Log Match)", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures project ownership assignment and changes but does not define a proper 'notification_channels'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive11.tf" + "filename": "positive6.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive12.tf" + "filename": "positive7.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive13.tf" + "filename": "positive8.tf", + "resourceType": "google_logging_metric", + "resourceName": "project_ownership_with_not", + "searchKey": "google_logging_metric[positive8].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive14.tf" + "filename": "positive9.tf", + "resourceType": "google_logging_metric", + "resourceName": "project_ownership_with_not_remove", + "searchKey": "google_logging_metric[positive9].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/network_policy_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/network_policy_disabled/test/positive_expected_result.json index ff7d73107ec..f86f143ace7 100644 --- a/assets/queries/terraform/gcp/network_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/network_policy_disabled/test/positive_expected_result.json @@ -2,31 +2,79 @@ { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'network_policy' should be defined and Attribute 'addons_config' should be defined", + "actualValue": "Attribute 'network_policy' is undefined or Attribute 'addons_config' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 16 + "line": 16, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2]", + "searchValue": "", + "expectedValue": "Attribute 'network_policy' should be defined and Attribute 'addons_config' should be defined", + "actualValue": "Attribute 'network_policy' is undefined or Attribute 'addons_config' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 30 + "line": 30, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive3]", + "searchValue": "", + "expectedValue": "Attribute 'network_policy' should be defined and Attribute 'addons_config' should be defined", + "actualValue": "Attribute 'network_policy' is undefined or Attribute 'addons_config' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 48 + "line": 48, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive4].addons_config", + "searchValue": "", + "expectedValue": "Attribute 'addons_config.network_policy_config' should be defined", + "actualValue": "Attribute 'addons_config.network_policy_config' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 63 + "line": 63, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive5].network_policy.enabled", + "searchValue": "", + "expectedValue": "Attribute 'network_policy.enabled' should be true", + "actualValue": "Attribute 'network_policy.enabled' is false", + "issueType": "IncorrectValue" }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 86 + "line": 86, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive6].addons_config.network_policy_config.disabled", + "searchValue": "", + "expectedValue": "Attribute 'addons_config.network_policy_config.disabled' should be set to false", + "actualValue": "Attribute 'addons_config.network_policy_config.disabled' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json index 6f474f0d075..59f9f50b7a9 100644 --- a/assets/queries/terraform/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_container_node_pool", + "resourceName": "my-node-pool", + "searchKey": "google_container_node_pool[positive1]", + "searchValue": "", + "expectedValue": "google_container_node_pool.management should be defined and not null", + "actualValue": "google_container_node_pool.management is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 19 + "line": 19, + "filename": "positive.tf", + "resourceType": "google_container_node_pool", + "resourceName": "my-node-pool", + "searchKey": "google_container_node_pool[positive2].management", + "searchValue": "", + "expectedValue": "management.auto_upgrade should be defined and not null", + "actualValue": "management.auto_upgrade is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "google_container_node_pool", + "resourceName": "my-node-pool", + "searchKey": "google_container_node_pool[positive3].management.auto_upgrade", + "searchValue": "", + "expectedValue": "management.auto_upgrade should be true", + "actualValue": "management.auto_upgrade is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/not_proper_email_account_in_use/test/positive_expected_result.json b/assets/queries/terraform/gcp/not_proper_email_account_in_use/test/positive_expected_result.json index ef78f29a1c7..0934b77ef5e 100644 --- a/assets/queries/terraform/gcp/not_proper_email_account_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/not_proper_email_account_in_use/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Not Proper Email Account In Use", "severity": "LOW", - "line": 6 + "line": 6, + "filename": "positive.tf", + "resourceType": "google_project_iam_binding", + "resourceName": "positive1", + "searchKey": "google_project_iam_binding[positive1].members.user:jane@gmail.com", + "searchValue": "", + "expectedValue": "'members' cannot contain Gmail account addresses", + "actualValue": "'members' has email address: user:jane@gmail.com", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/os_login_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/os_login_disabled/test/positive_expected_result.json index f8e4466defc..5ce1d80d79d 100644 --- a/assets/queries/terraform/gcp/os_login_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/os_login_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "OSLogin Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "filename": "positive.tf", + "resourceType": "google_compute_project_metadata", + "resourceName": "positive1", + "searchKey": "google_compute_project_metadata[positive1].metadata.enable-oslogin", + "searchValue": "", + "expectedValue": "google_compute_project_metadata[positive1].metadata['enable-oslogin'] should be true", + "actualValue": "google_compute_project_metadata[positive1].metadata['enable-oslogin'] is false", + "issueType": "IncorrectValue" }, { "queryName": "OSLogin Disabled", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "google_compute_project_metadata", + "resourceName": "positive2", + "searchKey": "google_compute_project_metadata[positive2].metadata", + "searchValue": "", + "expectedValue": "google_compute_project_metadata[positive2].metadata['enable-oslogin'] should be true", + "actualValue": "google_compute_project_metadata[positive2].metadata['enable-oslogin'] is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json b/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json index 901a453aacf..092fdb628c4 100644 --- a/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "OSLogin Is Disabled For VM Instance", "severity": "MEDIUM", - "line": 30 + "line": 30, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive1].metadata.enable-oslogin", + "searchValue": "", + "expectedValue": "google_compute_instance[positive1].metadata.enable-oslogin should be true or undefined", + "actualValue": "google_compute_instance[positive1].metadata.enable-oslogin is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/outdated_gke_version/test/positive_expected_result.json b/assets/queries/terraform/gcp/outdated_gke_version/test/positive_expected_result.json index 94ec761d1b6..fa40ee71130 100644 --- a/assets/queries/terraform/gcp/outdated_gke_version/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/outdated_gke_version/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Outdated GKE Version", "severity": "LOW", "line": 2, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "GKE should not be using outated versions on min_master_version or node_version 1.25", + "actualValue": "GKE is using outated versions on min_master_version or node_version", + "issueType": "IncorrectValue" }, { "queryName": "Outdated GKE Version", "severity": "LOW", "line": 25, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2]", + "searchValue": "", + "expectedValue": "GKE should not be using outated versions on min_master_version or node_version 1.25", + "actualValue": "GKE is using outated versions on min_master_version or node_version", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/pod_security_policy_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/pod_security_policy_disabled/test/positive_expected_result.json index bcfcc520208..6880fed062c 100644 --- a/assets/queries/terraform/gcp/pod_security_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/pod_security_policy_disabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Pod Security Policy Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'pod_security_policy_config' should be defined", + "actualValue": "Attribute 'pod_security_policy_config' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pod Security Policy Disabled", "severity": "MEDIUM", - "line": 18 + "line": 18, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2].pod_security_policy_config.enabled", + "searchValue": "", + "expectedValue": "Attribute 'enabled' of 'pod_security_policy_config' should be true", + "actualValue": "Attribute 'enabled' of 'pod_security_policy_config' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/private_cluster_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/private_cluster_disabled/test/positive_expected_result.json index c7baabbd4f9..9c25c337f45 100644 --- a/assets/queries/terraform/gcp/private_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/private_cluster_disabled/test/positive_expected_result.json @@ -2,36 +2,92 @@ { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'private_cluster_config' should be defined and not null", + "actualValue": "Attribute 'private_cluster_config' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 16 + "line": 16, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2].private_cluster_config", + "searchValue": "", + "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be defined and Attribute 'private_cluster_config.enable_private_nodes' should be defined", + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is undefined or Attribute 'private_cluster_config.enable_private_nodes' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 30 + "line": 30, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive3].private_cluster_config", + "searchValue": "", + "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be defined and Attribute 'private_cluster_config.enable_private_nodes' should be defined", + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is undefined or Attribute 'private_cluster_config.enable_private_nodes' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 44 + "line": 44, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive4].private_cluster_config", + "searchValue": "", + "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be defined and Attribute 'private_cluster_config.enable_private_nodes' should be defined", + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is undefined or Attribute 'private_cluster_config.enable_private_nodes' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 58 + "line": 58, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive5].private_cluster_config", + "searchValue": "", + "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be true and Attribute 'private_cluster_config.enable_private_nodes' should be true", + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false", + "issueType": "IncorrectValue" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 73 + "line": 73, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive6].private_cluster_config", + "searchValue": "", + "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be true and Attribute 'private_cluster_config.enable_private_nodes' should be true", + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false", + "issueType": "IncorrectValue" }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 88 + "line": 88, + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive7].private_cluster_config", + "searchValue": "", + "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be true and Attribute 'private_cluster_config.enable_private_nodes' should be true", + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json b/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json index a808b73efe3..c26b6fe9510 100644 --- a/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ - { - "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", - "severity": "MEDIUM", - "line": 29 - }, - { - "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", - "severity": "MEDIUM", - "line": 39 - } + { + "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", + "severity": "MEDIUM", + "line": 29, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive1].metadata.block-project-ssh-keys", + "searchValue": "", + "expectedValue": "google_compute_instance[positive1].metadata.block-project-ssh-keys should be true", + "actualValue": "google_compute_instance[positive1].metadata.block-project-ssh-keys is false", + "issueType": "IncorrectValue" + }, + { + "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", + "severity": "MEDIUM", + "line": 39, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive2]", + "searchValue": "", + "expectedValue": "google_compute_instance[positive2].metadata should be set", + "actualValue": "google_compute_instance[positive2].metadata is undefined", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/terraform/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/terraform/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json index 4f41a4dff84..a49ae4d75fb 100644 --- a/assets/queries/terraform/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", - "line": 12 + "line": 12, + "filename": "positive.tf", + "resourceType": "google_compute_firewall", + "resourceName": "test-firewall", + "searchKey": "google_compute_firewall[positive1].allow.ports", + "searchValue": "", + "expectedValue": "'google_compute_firewall[positive1].allow.ports' should not include RDP port 3389", + "actualValue": "'google_compute_firewall[positive1].allow.ports' includes RDP port 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", - "line": 25 + "line": 25, + "filename": "positive.tf", + "resourceType": "google_compute_firewall", + "resourceName": "test-firewall", + "searchKey": "google_compute_firewall[positive2].allow.ports", + "searchValue": "", + "expectedValue": "'google_compute_firewall[positive2].allow.ports' should not include RDP port 3389", + "actualValue": "'google_compute_firewall[positive2].allow.ports' includes RDP port 3389", + "issueType": "IncorrectValue" }, { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "google_compute_firewall", + "resourceName": "test-firewall", + "searchKey": "google_compute_firewall[positive3].allow.ports", + "searchValue": "", + "expectedValue": "'google_compute_firewall[positive3].allow.ports' should not include RDP port 3389", + "actualValue": "'google_compute_firewall[positive3].allow.ports' includes RDP port 3389", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json b/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json index e27bdc8039a..c1b427379d6 100644 --- a/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json @@ -3,36 +3,78 @@ "queryName": "Service Account with Improper Privileges", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_iam_policy", + "resourceName": "admin", + "searchKey": "google_iam_policy[admin].binding.role", + "searchValue": "", + "expectedValue": "google_iam_policy[admin].binding.role should not have admin, editor, owner, or write privileges for service account member", + "actualValue": "google_iam_policy[admin].binding.role has admin, editor, owner, or write privilege for service account member", + "issueType": "IncorrectValue" }, { "queryName": "Service Account with Improper Privileges", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "google_project_iam_binding", + "resourceName": "project1", + "searchKey": "google_project_iam_binding[project1].role", + "searchValue": "", + "expectedValue": "google_project_iam_binding[project1].role should not have admin, editor, owner, or write privileges for service account member", + "actualValue": "google_project_iam_binding[project1].role has admin, editor, owner, or write privilege for service account member", + "issueType": "IncorrectValue" }, { "queryName": "Service Account with Improper Privileges", "severity": "MEDIUM", "line": 18, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "google_project_iam_member", + "resourceName": "project2", + "searchKey": "google_project_iam_member[project2].role", + "searchValue": "", + "expectedValue": "google_project_iam_member[project2].role should not have admin, editor, owner, or write privileges for service account member", + "actualValue": "google_project_iam_member[project2].role has admin, editor, owner, or write privilege for service account member", + "issueType": "IncorrectValue" }, { "queryName": "Service Account with Improper Privileges", "severity": "MEDIUM", "line": 10, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "google_iam_policy", + "resourceName": "admin", + "searchKey": "google_iam_policy[admin].binding[1].role", + "searchValue": "", + "expectedValue": "google_iam_policy[admin].binding[1].role should not have admin, editor, owner, or write privileges for service account member", + "actualValue": "google_iam_policy[admin].binding[1].role has admin, editor, owner, or write privilege for service account member", + "issueType": "IncorrectValue" }, { "queryName": "Service Account with Improper Privileges", "severity": "MEDIUM", "line": 3, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "google_iam_policy", + "resourceName": "admin", + "searchKey": "google_iam_policy[admin].binding[0].role", + "searchValue": "", + "expectedValue": "google_iam_policy[admin].binding[0].role should not have admin, editor, owner, or write privileges for service account member", + "actualValue": "google_iam_policy[admin].binding[0].role has admin, editor, owner, or write privilege for service account member", + "issueType": "IncorrectValue" }, { "queryName": "Service Account with Improper Privileges", "severity": "MEDIUM", "line": 9, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "google_iam_policy", + "resourceName": "admin", + "searchKey": "google_iam_policy[admin].binding[1].role", + "searchValue": "", + "expectedValue": "google_iam_policy[admin].binding[1].role should not have admin, editor, owner, or write privileges for service account member", + "actualValue": "google_iam_policy[admin].binding[1].role has admin, editor, owner, or write privilege for service account member", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/test/positive_expected_result.json index 5a5da1c5c11..fd5585b3ac0 100644 --- a/assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Beta - Shielded GKE Node Do Not Have Integrity Monitoring Enabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1].node_config.shielded_instance_config.enable_integrity_monitoring", + "searchValue": "", + "expectedValue": "'node_config.shielded_instance_config.enable_integrity_monitoring' should be defined to 'true'", + "actualValue": "'node_config.shielded_instance_config.enable_integrity_monitoring' is not defined to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - Shielded GKE Node Do Not Have Integrity Monitoring Enabled", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "google_container_node_pool", + "resourceName": "my-node-pool", + "searchKey": "google_container_node_pool[positive2].node_config.shielded_instance_config.enable_integrity_monitoring", + "searchValue": "", + "expectedValue": "'node_config.shielded_instance_config.enable_integrity_monitoring' should be defined to 'true'", + "actualValue": "'node_config.shielded_instance_config.enable_integrity_monitoring' is not defined to 'true'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/test/positive_expected_result.json index 220d7612bc8..a4f9323050d 100644 --- a/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Shielded GKE Nodes Disabled", "severity": "MEDIUM", "line": 4, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "my-gke-cluster", + "searchKey": "google_container_cluster[false].enable_shielded_nodes", + "searchValue": "", + "expectedValue": "google_container_cluster.enable_shielded_nodes should be set to true", + "actualValue": "google_container_cluster.enable_shielded_nodes is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/shielded_vm_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/shielded_vm_disabled/test/positive_expected_result.json index 79d4d0df9eb..7b2b90ac54b 100644 --- a/assets/queries/terraform/gcp/shielded_vm_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/shielded_vm_disabled/test/positive_expected_result.json @@ -2,36 +2,92 @@ { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver1]", + "searchValue": "", + "expectedValue": "Attribute 'shielded_instance_config' should be defined and not null", + "actualValue": "Attribute 'shielded_instance_config' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 10 + "line": 10, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver2].shielded_instance_config", + "searchValue": "", + "expectedValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' should be defined", + "actualValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 19 + "line": 19, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver3].shielded_instance_config", + "searchValue": "", + "expectedValue": "Attribute 'shielded_instance_config.enable_vtpm' should be defined", + "actualValue": "Attribute 'shielded_instance_config.enable_vtpm' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 28 + "line": 28, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver4].shielded_instance_config", + "searchValue": "", + "expectedValue": "Attribute 'shielded_instance_config.enable_secure_boot' should be defined", + "actualValue": "Attribute 'shielded_instance_config.enable_secure_boot' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 38 + "line": 38, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver5].shielded_instance_config.enable_secure_boot", + "searchValue": "", + "expectedValue": "Attribute 'shielded_instance_config.enable_secure_boot' should be true", + "actualValue": "Attribute 'shielded_instance_config.enable_secure_boot' is false", + "issueType": "IncorrectValue" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 49 + "line": 49, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver6].shielded_instance_config.enable_vtpm", + "searchValue": "", + "expectedValue": "Attribute 'shielded_instance_config.enable_vtpm' should be true", + "actualValue": "Attribute 'shielded_instance_config.enable_vtpm' is false", + "issueType": "IncorrectValue" }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 60 + "line": 60, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver7].shielded_instance_config.enable_integrity_monitoring", + "searchValue": "", + "expectedValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' should be true", + "actualValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json index 393569dc81e..79a7a8b7b14 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "master-instance", + "searchKey": "google_sql_database_instance[positive1].settings", + "searchValue": "", + "expectedValue": "settings.backup_configuration should be defined and not null", + "actualValue": "settings.backup_configuration is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 18 + "line": 18, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "master-instance", + "searchKey": "google_sql_database_instance[positive2].settings.backup_configuration", + "searchValue": "", + "expectedValue": "settings.backup_configuration.enabled should be defined and not null", + "actualValue": "settings.backup_configuration.enabled is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "master-instance", + "searchKey": "google_sql_database_instance[positive3].settings.backup_configuration.enabled", + "searchValue": "", + "expectedValue": "settings.backup_configuration.enabled should be true", + "actualValue": "settings.backup_configuration.enabled is false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json index 2806d2b8c15..34cb34c7377 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json @@ -2,21 +2,53 @@ { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 6 + "line": 6, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "master-instance", + "searchKey": "google_sql_database_instance[positive1].settings", + "searchValue": "", + "expectedValue": "'ip_configuration' should be defined and allow only trusted networks", + "actualValue": "'ip_configuration' is not defined", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 24 + "line": 24, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-2", + "searchKey": "google_sql_database_instance[positive2].settings.ip_configuration.authorized_networks.value=0.0.0.0/0", + "searchValue": "", + "expectedValue": "'authorized_network' address should be trusted", + "actualValue": "'authorized_network' address is not restricted: '0.0.0.0/0'", + "issueType": "IncorrectValue" }, { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 41 + "line": 41, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "master-instance", + "searchKey": "google_sql_database_instance[positive3].settings.ip_configuration.ipv4_enabled", + "searchValue": "", + "expectedValue": "'ipv4_enabled' should be disabled and 'private_network' should be defined when there are no authorized networks", + "actualValue": "'ipv4_enabled' is enabled when there are no authorized networks", + "issueType": "IncorrectValue" }, { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 56 + "line": 56, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "master-instance", + "searchKey": "google_sql_database_instance[positive4].settings.ip_configuration", + "searchValue": "", + "expectedValue": "'ipv4_enabled' should be disabled and 'private_network' should be defined when there are no authorized networks", + "actualValue": "'private_network' is not defined when there are no authorized networks", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_contained_database_authentication/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_contained_database_authentication/test/positive_expected_result.json index 420abab1a70..2b7e622e9e2 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_contained_database_authentication/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_contained_database_authentication/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Beta - SQL DB Instance With Contained Database Authentication", "severity": "HIGH", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'contained database authentication' to 'off'", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'contained database authentication' to 'on'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Contained Database Authentication", "severity": "HIGH", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'contained database authentication' to 'off'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'contained database authentication' to 'on'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json index e6bd2e4af21..974db57aad7 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_1]", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", "severity": "MEDIUM", - "line": 14 + "line": 14, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_2].settings", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", "severity": "MEDIUM", - "line": 23 + "line": 23, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'skip_show_database'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", "severity": "MEDIUM", - "line": 42 + "line": 42, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'skip_show_database' to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", "severity": "MEDIUM", - "line": 60 + "line": 60, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'skip_show_database' to 'off'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/test/positive_expected_result.json index 02d611da5aa..8b5fe634da3 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_1]", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set '3625' to 'on'", + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", "severity": "MEDIUM", - "line": 14 + "line": 14, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_2].settings", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set '3625' to 'on'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", "severity": "MEDIUM", - "line": 23 + "line": 23, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set '3625' to 'on'", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set '3625'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", "severity": "MEDIUM", - "line": 42 + "line": 42, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set '3625' to 'on'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets '3625' to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", "severity": "MEDIUM", - "line": 60 + "line": 60, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set '3625' to 'on'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets '3625' to 'off'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_external_scripts_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_external_scripts_enabled/test/positive_expected_result.json index 207109252b2..30f406ef4de 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_external_scripts_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_external_scripts_enabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Beta - SQL DB Instance With External Scripts Enabled", "severity": "HIGH", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'external scripts enabled' to 'off'", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'external scripts enabled' to 'on'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With External Scripts Enabled", "severity": "HIGH", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'external scripts enabled' to 'off'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'external scripts enabled' to 'on'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test/positive_expected_result.json index b435c637f0e..25142b6757e 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Beta - SQL DB Instance With Global User Options", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'user options' to '0'", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'user options' to '32'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Global User Options", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'user options' to '0'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'user options' to '16'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_limited_user_connections/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_limited_user_connections/test/positive_expected_result.json index 169c9cccca4..7cbb77b570a 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_limited_user_connections/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_limited_user_connections/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Beta - SQL DB Instance With Limited User Connections", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'user connections' to '0'", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'user connections' to '1001'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Limited User Connections", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'user connections' to '0'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'user connections' to '1000'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json index 162410cf2b9..e568db1dd84 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_1]", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'local_infile' to 'off'", + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", "severity": "MEDIUM", - "line": 14 + "line": 14, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_2].settings", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'local_infile' to 'off'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", "severity": "MEDIUM", - "line": 23 + "line": 23, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set 'local_infile' to 'off'", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'local_infile'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", "severity": "MEDIUM", - "line": 42 + "line": 42, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'local_infile' to 'off'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'local_infile' to 'on'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", "severity": "MEDIUM", - "line": 60 + "line": 60, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'local_infile' to 'off'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'local_infile' to 'on'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_minimum_log_duration/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_minimum_log_duration/test/positive_expected_result.json index 3838bb1e30e..589b787533e 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_minimum_log_duration/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_minimum_log_duration/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Beta - SQL DB Instance With Minimum Log Duration", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'log_min_duration_statement' to '-1'", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'log_min_duration_statement' to '2'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Minimum Log Duration", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'log_min_duration_statement' to '-1'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'log_min_duration_statement' to '3'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json index 794a4aa3bf3..e49688a1dc8 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Beta - SQL DB Instance With Ownership Chaining Enabled", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'cross db ownership chaining' to 'off'", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'cross db ownership chaining' to 'on'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Ownership Chaining Enabled", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'cross db ownership chaining' to 'off'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'cross db ownership chaining' to 'on'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/test/positive_expected_result.json index 65ddff52d04..c525a9d853f 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "Beta - SQL DB Instance With Remote Access Enabled", "severity": "HIGH", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_1]", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'remote access' to 'off'", + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Remote Access Enabled", "severity": "HIGH", - "line": 14 + "line": 14, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_2].settings", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'remote access' to 'off'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Remote Access Enabled", "severity": "HIGH", - "line": 23 + "line": 23, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set 'remote access' to 'off'", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'remote access'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance With Remote Access Enabled", "severity": "HIGH", - "line": 42 + "line": 42, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'remote access' to 'off'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'remote access' to 'on'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Remote Access Enabled", "severity": "HIGH", - "line": 60 + "line": 60, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'remote access' to 'off'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'remote access' to 'on'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json index 842962c52cb..d68cbaf98c7 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 9 + "line": 9, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "positive1", + "searchKey": "google_sql_database_instance[positive1].settings", + "searchValue": "", + "expectedValue": "'settings.ip_configuration' should be defined and not null", + "actualValue": "'settings.ip_configuration' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 24 + "line": 24, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "positive2", + "searchKey": "google_sql_database_instance[positive2].settings.ip_configuration", + "searchValue": "", + "expectedValue": "'settings.ip_configuration.require_ssl' should be defined and not null", + "actualValue": "'settings.ip_configuration.require_ssl' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 44 + "line": 44, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "positive3", + "searchKey": "google_sql_database_instance[positive3].settings.ip_configuration.require_ssl", + "searchValue": "", + "expectedValue": "'settings.ip_configuration.require_ssl' should be true", + "actualValue": "'settings.ip_configuration.require_ssl' is false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_error_logging_threshold/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_error_logging_threshold/test/positive_expected_result.json index d80d2459e37..0e8ca988f97 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_error_logging_threshold/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_error_logging_threshold/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Beta - SQL DB Instance With Unrecommended Error Logging Threshold", "severity": "LOW", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'log_min_error_statement' to 'ERROR' or a higher severity", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'log_min_error_statement' to 'NOTICE'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Unrecommended Error Logging Threshold", "severity": "LOW", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'log_min_error_statement' to 'ERROR' or a higher severity", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'log_min_error_statement' to 'DEBUG5'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Unrecommended Error Logging Threshold", "severity": "LOW", - "line": 44 + "line": 44, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should set 'log_min_error_statement' to 'ERROR' or a higher severity", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' sets 'log_min_error_statement' to 'DEBUG4'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json index 970ae9b2077..f234c246c26 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold", "severity": "LOW", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'log_min_messages' to 'WARNING' or a higher severity", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'log_min_messages' to 'NOTICE'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold", "severity": "LOW", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'log_min_messages' to 'WARNING' or a higher severity", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'log_min_messages' to 'DEBUG5'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold", "severity": "LOW", - "line": 44 + "line": 44, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should set 'log_min_messages' to 'WARNING' or a higher severity", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' sets 'log_min_messages' to 'INFO'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_without_centralized_logging/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_without_centralized_logging/test/positive_expected_result.json index 097504c3cca..990b9385a37 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_without_centralized_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_without_centralized_logging/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "Beta - SQL DB Instance Without Centralized Logging", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_1]", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'cloudsql.enable_pgaudit' to 'on'", + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance Without Centralized Logging", "severity": "LOW", - "line": 14 + "line": 14, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_2].settings", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'cloudsql.enable_pgaudit' to 'on'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance Without Centralized Logging", "severity": "LOW", - "line": 23 + "line": 23, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should set 'cloudsql.enable_pgaudit' to 'on'", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'cloudsql.enable_pgaudit'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance Without Centralized Logging", "severity": "LOW", - "line": 42 + "line": 42, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should set 'cloudsql.enable_pgaudit' to 'on'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'cloudsql.enable_pgaudit' to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance Without Centralized Logging", "severity": "LOW", - "line": 60 + "line": 60, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should set 'cloudsql.enable_pgaudit' to 'on'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'cloudsql.enable_pgaudit' to 'off'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test/positive_expected_result.json index 35ce66f2aee..06f5a3d8564 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "Beta - SQL DB Instance Without Connections Logging", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_1]", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'log_connections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance Without Connections Logging", "severity": "MEDIUM", - "line": 14 + "line": 14, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_2].settings", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'log_connections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance Without Connections Logging", "severity": "MEDIUM", - "line": 23 + "line": 23, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set 'log_connections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'log_connections'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance Without Connections Logging", "severity": "MEDIUM", - "line": 42 + "line": 42, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'log_connections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'log_connections' to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance Without Connections Logging", "severity": "MEDIUM", - "line": 60 + "line": 60, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'log_connections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'log_connections' to 'off'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/test/positive_expected_result.json index bc25ddc5352..3a31923924c 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "Beta - SQL DB Instance Without Disconnections Logging", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_1]", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance Without Disconnections Logging", "severity": "MEDIUM", - "line": 14 + "line": 14, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_2].settings", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance Without Disconnections Logging", "severity": "MEDIUM", - "line": 23 + "line": 23, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'log_disconnections'", + "issueType": "MissingAttribute" }, { "queryName": "Beta - SQL DB Instance Without Disconnections Logging", "severity": "MEDIUM", - "line": 42 + "line": 42, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'log_disconnections' to 'off'", + "issueType": "IncorrectValue" }, { "queryName": "Beta - SQL DB Instance Without Disconnections Logging", "severity": "MEDIUM", - "line": 60 + "line": 60, + "filename": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'log_disconnections' to 'off'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/terraform/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json index 20101062af0..3dc9e58d046 100644 --- a/assets/queries/terraform/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "google_compute_firewall", + "resourceName": "test-firewall", + "searchKey": "google_compute_firewall[positive1].allow.ports=22", + "searchValue": "", + "expectedValue": "'google_compute_firewall[positive1].allow.ports' should not include SSH port 22", + "actualValue": "'google_compute_firewall[positive1].allow.ports' includes SSH port 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", - "line": 31 + "line": 31, + "filename": "positive.tf", + "resourceType": "google_compute_firewall", + "resourceName": "test-firewall", + "searchKey": "google_compute_firewall[positive2].allow.ports=21-3390", + "searchValue": "", + "expectedValue": "'google_compute_firewall[positive2].allow.ports' should not include SSH port 22", + "actualValue": "'google_compute_firewall[positive2].allow.ports' includes SSH port 22", + "issueType": "IncorrectValue" }, { "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", - "line": 43 + "line": 43, + "filename": "positive.tf", + "resourceType": "google_compute_firewall", + "resourceName": "test-firewall", + "searchKey": "google_compute_firewall[positive3].allow.ports=0-65535", + "searchValue": "", + "expectedValue": "'google_compute_firewall[positive3].allow.ports' should not include SSH port 22", + "actualValue": "'google_compute_firewall[positive3].allow.ports' includes SSH port 22", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/stackdriver_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/stackdriver_logging_disabled/test/positive_expected_result.json index 6977ed3614c..66df0844151 100644 --- a/assets/queries/terraform/gcp/stackdriver_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/stackdriver_logging_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Stackdriver Logging Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1].logging_service", + "searchValue": "", + "expectedValue": "Attribute 'logging_service' should be undefined or 'logging.googleapis.com/kubernetes'", + "actualValue": "Attribute 'logging_service' is 'none'", + "issueType": "IncorrectValue" }, { "queryName": "Stackdriver Logging Disabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2].logging_service", + "searchValue": "", + "expectedValue": "Attribute 'logging_service' should be undefined or 'logging.googleapis.com/kubernetes'", + "actualValue": "Attribute 'logging_service' is 'logging.googleapis.com'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json index c36541dc9e3..721c34e5416 100644 --- a/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Stackdriver Monitoring Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1].monitoring_service", + "searchValue": "", + "expectedValue": "Attribute 'monitoring_service' should be undefined or 'monitoring.googleapis.com/kubernetes'", + "actualValue": "Attribute 'monitoring_service' is 'none'", + "issueType": "IncorrectValue" }, { "queryName": "Stackdriver Monitoring Disabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive.tf" + "filename": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2].monitoring_service", + "searchValue": "", + "expectedValue": "Attribute 'monitoring_service' should be undefined or 'monitoring.googleapis.com/kubernetes'", + "actualValue": "Attribute 'monitoring_service' is 'monitoring.googleapis.com'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/user_with_iam_role/test/positive_expected_result.json b/assets/queries/terraform/gcp/user_with_iam_role/test/positive_expected_result.json index aeb24e47caa..7f8c9799d88 100644 --- a/assets/queries/terraform/gcp/user_with_iam_role/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/user_with_iam_role/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "User with IAM Role", "severity": "LOW", "line": 3, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "google_iam_policy", + "resourceName": "positive", + "searchKey": "google_iam_policy[positive].binding.role", + "searchValue": "", + "expectedValue": "google_iam_policy[positive].binding.role should not be set", + "actualValue": "google_iam_policy[positive].binding.role is set", + "issueType": "IncorrectValue" }, { "queryName": "User with IAM Role", "severity": "LOW", "line": 3, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "google_project_iam_binding", + "resourceName": "positive2", + "searchKey": "google_project_iam_binding[positive2].role", + "searchValue": "", + "expectedValue": "google_project_iam_binding[positive2].role should not be set", + "actualValue": "google_project_iam_binding[positive2].role is set", + "issueType": "IncorrectValue" }, { "queryName": "User with IAM Role", "severity": "LOW", "line": 18, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "google_project_iam_member", + "resourceName": "positive3", + "searchKey": "google_project_iam_member[positive3].role", + "searchValue": "", + "expectedValue": "google_project_iam_member[positive3].role should not be set", + "actualValue": "google_project_iam_member[positive3].role is set", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/gcp/using_default_service_account/test/positive_expected_result.json b/assets/queries/terraform/gcp/using_default_service_account/test/positive_expected_result.json index 1b71e217068..7c9cc9b4347 100644 --- a/assets/queries/terraform/gcp/using_default_service_account/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/using_default_service_account/test/positive_expected_result.json @@ -1,27 +1,67 @@ [ - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 2 - }, - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 46 - }, - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 73 - }, - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 100 - }, - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 127 - } + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 2, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive1]", + "searchValue": "", + "expectedValue": "'google_compute_instance[positive1].service_account' should be defined and not null", + "actualValue": "'google_compute_instance[positive1].service_account' is undefined or null", + "issueType": "MissingAttribute" + }, + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 46, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive2].service_account", + "searchValue": "", + "expectedValue": "'google_compute_instance[positive2].service_account.email' should be defined and not null", + "actualValue": "'google_compute_instance[positive2].service_account.email' is undefined or null", + "issueType": "MissingAttribute" + }, + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 73, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive3].service_account.email", + "searchValue": "", + "expectedValue": "'google_compute_instance[positive3].service_account.email' should not be empty", + "actualValue": "'google_compute_instance[positive3].service_account.email' is empty", + "issueType": "IncorrectValue" + }, + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 100, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive4].service_account.email", + "searchValue": "", + "expectedValue": "'google_compute_instance[positive4].service_account.email' should not be an email", + "actualValue": "'google_compute_instance[positive4].service_account.email' is an email", + "issueType": "IncorrectValue" + }, + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 127, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive5].service_account.email", + "searchValue": "", + "expectedValue": "'google_compute_instance[positive5].service_account.email' should not be a default Google Compute Engine service account", + "actualValue": "'google_compute_instance[positive5].service_account.email' is a default Google Compute Engine service account", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/test/positive_expected_result.json b/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/test/positive_expected_result.json index ff4d783bffd..49f6397a274 100644 --- a/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/test/positive_expected_result.json @@ -1,17 +1,41 @@ [ - { - "queryName": "Serial Ports Are Enabled For VM Instances", - "severity": "MEDIUM", - "line": 26 - }, - { - "queryName": "Serial Ports Are Enabled For VM Instances", - "severity": "MEDIUM", - "line": 38 - }, - { - "queryName": "Serial Ports Are Enabled For VM Instances", - "severity": "MEDIUM", - "line": 44 - } + { + "queryName": "Serial Ports Are Enabled For VM Instances", + "severity": "MEDIUM", + "line": 26, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive1].metadata.serial-port-enable", + "searchValue": "", + "expectedValue": "google_compute_instance[positive1].metadata.serial-port-enable should be set to false or undefined", + "actualValue": "google_compute_instance[positive1].metadata.serial-port-enable is true", + "issueType": "IncorrectValue" + }, + { + "queryName": "Serial Ports Are Enabled For VM Instances", + "severity": "MEDIUM", + "line": 38, + "filename": "positive.tf", + "resourceType": "google_compute_project_metadata", + "resourceName": "positive2", + "searchKey": "google_compute_project_metadata[positive2].metadata.serial-port-enable", + "searchValue": "", + "expectedValue": "google_compute_project_metadata[positive2].metadata.serial-port-enable should be set to false or undefined", + "actualValue": "google_compute_project_metadata[positive2].metadata.serial-port-enable is true", + "issueType": "IncorrectValue" + }, + { + "queryName": "Serial Ports Are Enabled For VM Instances", + "severity": "MEDIUM", + "line": 44, + "filename": "positive.tf", + "resourceType": "google_compute_project_metadata_item", + "resourceName": "positive3", + "searchKey": "google_compute_project_metadata_item[positive3].value", + "searchValue": "", + "expectedValue": "google_compute_project_metadata[positive3].value should be set to false", + "actualValue": "google_compute_project_metadata[positive3].value is true", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/gcp/vm_with_full_cloud_access/test/positive_expected_result.json b/assets/queries/terraform/gcp/vm_with_full_cloud_access/test/positive_expected_result.json index ccabae58b6c..706b59f9da6 100644 --- a/assets/queries/terraform/gcp/vm_with_full_cloud_access/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/vm_with_full_cloud_access/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "VM With Full Cloud Access", "severity": "MEDIUM", - "line": 20 + "line": 20, + "filename": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive1].service_account.scopes", + "searchValue": "", + "expectedValue": "'service_account.scopes' should not contain 'cloud-platform'", + "actualValue": "'service_account.scopes' contains 'cloud-platform'", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp_bom/dataflow/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/dataflow/test/positive_expected_result.json index 2af3f798c94..4dc384b94f7 100644 --- a/assets/queries/terraform/gcp_bom/dataflow/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/dataflow/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "BOM - GCP Dataflow", - "severity": "TRACE", - "line": 1, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP Dataflow", - "severity": "TRACE", - "line": 17, - "fileName": "positive.tf" - } + { + "queryName": "BOM - GCP Dataflow", + "severity": "TRACE", + "line": 1, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_dataflow_job[pubsub_stream]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP Dataflow", + "severity": "TRACE", + "line": 17, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_dataflow_job[pubsub_stream2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + } ] diff --git a/assets/queries/terraform/gcp_bom/fi/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/fi/test/positive_expected_result.json index a404cecf273..6d2b3d1a8fd 100644 --- a/assets/queries/terraform/gcp_bom/fi/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/fi/test/positive_expected_result.json @@ -1,20 +1,41 @@ [ - { - "queryName": "BOM - GCP FI", - "severity": "TRACE", - "line": 1, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP FI", - "severity": "TRACE", - "line": 32, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP FI", - "severity": "TRACE", - "line": 59, - "fileName": "positive.tf" - } + { + "queryName": "BOM - GCP FI", + "severity": "TRACE", + "line": 1, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_filestore_instance[instance]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP FI", + "severity": "TRACE", + "line": 32, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_filestore_instance[instance2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP FI", + "severity": "TRACE", + "line": 59, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_filestore_instance[instance3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + } ] diff --git a/assets/queries/terraform/gcp_bom/pd/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/pd/test/positive_expected_result.json index 6a5425f770b..0f9ce2f3dbf 100644 --- a/assets/queries/terraform/gcp_bom/pd/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/pd/test/positive_expected_result.json @@ -1,38 +1,80 @@ [ - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 1, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 12, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 28, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 44, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 60, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 76, - "fileName": "positive.tf" - } + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 1, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_compute_disk[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 12, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_compute_disk[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 28, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_compute_disk[positive3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 44, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_compute_disk[positive4]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 60, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_compute_disk[negative1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 76, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_compute_disk[negative2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + } ] diff --git a/assets/queries/terraform/gcp_bom/pst/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/pst/test/positive_expected_result.json index 10570b71914..80667acfab2 100644 --- a/assets/queries/terraform/gcp_bom/pst/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/pst/test/positive_expected_result.json @@ -1,26 +1,54 @@ [ - { - "queryName": "BOM - GCP PST", - "severity": "TRACE", - "line": 34, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PST", - "severity": "TRACE", - "line": 39, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PST", - "severity": "TRACE", - "line": 44, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PST", - "severity": "TRACE", - "line": 54, - "fileName": "positive.tf" - } + { + "queryName": "BOM - GCP PST", + "severity": "TRACE", + "line": 34, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_pubsub_topic[example1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP PST", + "severity": "TRACE", + "line": 39, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_pubsub_topic[example2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP PST", + "severity": "TRACE", + "line": 44, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_pubsub_topic[example3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP PST", + "severity": "TRACE", + "line": 54, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_pubsub_topic[example4]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + } ] diff --git a/assets/queries/terraform/gcp_bom/redis/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/redis/test/positive_expected_result.json index d71c4801f0e..b594a13a95e 100644 --- a/assets/queries/terraform/gcp_bom/redis/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/redis/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "BOM - GCP Redis", - "severity": "TRACE", - "line": 1, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP Redis", - "severity": "TRACE", - "line": 20, - "fileName": "positive.tf" - } + { + "queryName": "BOM - GCP Redis", + "severity": "TRACE", + "line": 1, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_redis_instance[cache]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP Redis", + "severity": "TRACE", + "line": 20, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_redis_instance[cache2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + } ] diff --git a/assets/queries/terraform/gcp_bom/sb/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/sb/test/positive_expected_result.json index 828876bd93d..9ca18871834 100644 --- a/assets/queries/terraform/gcp_bom/sb/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/sb/test/positive_expected_result.json @@ -1,20 +1,41 @@ [ - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 7, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 21, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 35, - "fileName": "positive.tf" - } + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 7, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_storage_bucket[bucket]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 21, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_storage_bucket[bucket2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + }, + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 35, + "filename": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_storage_bucket[bucket3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials" + } ] diff --git a/assets/queries/terraform/general/generic_git_module_without_revision/test/positive_expected_result.json b/assets/queries/terraform/general/generic_git_module_without_revision/test/positive_expected_result.json index 8aa4d1411b4..7a6f6619417 100644 --- a/assets/queries/terraform/general/generic_git_module_without_revision/test/positive_expected_result.json +++ b/assets/queries/terraform/general/generic_git_module_without_revision/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "Generic Git Module Without Revision", "severity": "INFO", "line": 8, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module.{{acm}}.source", + "searchValue": "", + "expectedValue": "Module 'source' field should have a reference", + "actualValue": "Module 'source' field does not have reference", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/general/name_is_not_snake_case/test/positive_expected_result.json b/assets/queries/terraform/general/name_is_not_snake_case/test/positive_expected_result.json index d0bdb653511..fed6b8ca524 100644 --- a/assets/queries/terraform/general/name_is_not_snake_case/test/positive_expected_result.json +++ b/assets/queries/terraform/general/name_is_not_snake_case/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Name Is Not Snake Case", "severity": "INFO", "line": 7, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "positiveExample", + "searchKey": "resource.aws_eks_cluster.positiveExample", + "searchValue": "", + "expectedValue": "All names should be on snake case pattern", + "actualValue": "'positiveExample' is not in snake case", + "issueType": "IncorrectValue" }, { "queryName": "Name Is Not Snake Case", "severity": "INFO", "line": 14, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module.ACMPositive2", + "searchValue": "", + "expectedValue": "All names should be on snake case pattern", + "actualValue": "'ACMPositive2' is not in snake case", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/general/output_without_description/test/positive_expected_result.json b/assets/queries/terraform/general/output_without_description/test/positive_expected_result.json index 3e3b2d3dd02..28de9e9a510 100644 --- a/assets/queries/terraform/general/output_without_description/test/positive_expected_result.json +++ b/assets/queries/terraform/general/output_without_description/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Output Without Description", "severity": "INFO", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "output.{{cluster_name}}", + "searchValue": "", + "expectedValue": "'description' should be defined and not null", + "actualValue": "'description' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Output Without Description", "severity": "INFO", "line": 3, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "output.{{cluster_name}}.description", + "searchValue": "", + "expectedValue": "'description' should not be empty", + "actualValue": "'description' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Output Without Description", "severity": "INFO", "line": 3, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "output.{{cluster_name}}.description", + "searchValue": "", + "expectedValue": "'description' should not be empty", + "actualValue": "'description' is empty", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/general/variable_without_description/test/positive_expected_result.json b/assets/queries/terraform/general/variable_without_description/test/positive_expected_result.json index 258a22c6d70..4a0b10e58c5 100644 --- a/assets/queries/terraform/general/variable_without_description/test/positive_expected_result.json +++ b/assets/queries/terraform/general/variable_without_description/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Variable Without Description", "severity": "INFO", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "variable.{{cluster_name}}", + "searchValue": "", + "expectedValue": "'description' should be defined and not null", + "actualValue": "'description' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Variable Without Description", "severity": "INFO", "line": 4, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "variable.{{cluster_name}}.description", + "searchValue": "", + "expectedValue": "'description' should not be empty", + "actualValue": "'description' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Variable Without Description", "severity": "INFO", "line": 4, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "variable.{{cluster_name}}.description", + "searchValue": "", + "expectedValue": "'description' should not be empty", + "actualValue": "'description' is empty", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/general/variable_without_type/test/positive_expected_result.json b/assets/queries/terraform/general/variable_without_type/test/positive_expected_result.json index 23a84ef45c7..6cad82fe9fb 100644 --- a/assets/queries/terraform/general/variable_without_type/test/positive_expected_result.json +++ b/assets/queries/terraform/general/variable_without_type/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "Variable Without Type", "severity": "INFO", "line": 1, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "variable.{{cluster_name}}", + "searchValue": "", + "expectedValue": "'type' should be defined and not null", + "actualValue": "'type' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Variable Without Type", "severity": "INFO", "line": 3, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "variable.{{cluster_name}}.type", + "searchValue": "", + "expectedValue": "'type' should not be empty", + "actualValue": "'type' is empty", + "issueType": "IncorrectValue" }, { "queryName": "Variable Without Type", "severity": "INFO", "line": 3, - "filename": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "variable.{{cluster_name}}.type", + "searchValue": "", + "expectedValue": "'type' should not be empty", + "actualValue": "'type' is empty", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/test/positive_expected_result.json b/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/test/positive_expected_result.json index 6805a9ad4ae..71b0ae32407 100644 --- a/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Github Organization Webhook With SSL Disabled", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "github_organization_webhook", + "resourceName": "web", + "searchKey": "github_organization_webhook[positive1].configuration.insecure_ssl", + "searchValue": "", + "expectedValue": "github_organization_webhook[positive1].configuration.insecure_ssl should be set to false", + "actualValue": "github_organization_webhook[positive1].configuration.insecure_ssl is true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/github/github_repository_set_to_public/test/positive_expected_result.json b/assets/queries/terraform/github/github_repository_set_to_public/test/positive_expected_result.json index 31ec489c64d..11b1cf361b2 100644 --- a/assets/queries/terraform/github/github_repository_set_to_public/test/positive_expected_result.json +++ b/assets/queries/terraform/github/github_repository_set_to_public/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "github_repository", + "resourceName": "example", + "searchKey": "github_repository[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'private' or Attribute 'visibility' should be defined and not null", + "actualValue": "Attribute 'private' and Attribute 'visibility' are undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive.tf", + "resourceType": "github_repository", + "resourceName": "example", + "searchKey": "github_repository[positive2].private", + "searchValue": "", + "expectedValue": "Attribute 'private' should be true", + "actualValue": "Attribute 'private' is false", + "issueType": "IncorrectValue" }, { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", - "line": 28 + "line": 28, + "filename": "positive.tf", + "resourceType": "github_repository", + "resourceName": "example", + "searchKey": "github_repository[positive3].visibility", + "searchValue": "", + "expectedValue": "Attribute 'visibility' should be 'private'", + "actualValue": "Attribute 'visibility' is 'public'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json index b65157cbf48..3060432212a 100644 --- a/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Cluster Admin Rolebinding With Superuser Permissions", "severity": "LOW", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "kubernetes_cluster_role_binding", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_cluster_role_binding[example2].role_ref.name", + "searchValue": "", + "expectedValue": "Resource name 'example2' isn't binding 'cluster-admin' role with superuser permissions", + "actualValue": "Resource name 'example2' is binding 'cluster-admin' role with superuser permissions", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/test/positive_expected_result.json index d60af26b460..dd94411a50e 100644 --- a/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Cluster Allows Unsafe Sysctls", "severity": "HIGH", "line": 6, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.allowed_unsafe_sysctls", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.allowed_unsafe_sysctls should be undefined", + "actualValue": "kubernetes_pod_security_policy[example].spec.allowed_unsafe_sysctls is set", + "issueType": "IncorrectValue" }, { "queryName": "Cluster Allows Unsafe Sysctls", "severity": "HIGH", "line": 9, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test].spec.security_context.sysctl", + "searchValue": "", + "expectedValue": "kubernetes_pod[test].spec.security_context.sysctl[%!s(int=0)].name should not have an unsafe sysctl", + "actualValue": "kubernetes_pod[test].spec.security_context.sysctl[%!s(int=0)].name has an unsafe sysctl", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/container_host_pid_is_true/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/container_host_pid_is_true/test/positive_expected_result.json index a17728b6472..46a41d9b3cf 100644 --- a/assets/queries/terraform/kubernetes/container_host_pid_is_true/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/container_host_pid_is_true/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "Container Host Pid Is True", - "severity": "MEDIUM", - "line": 8 - } + { + "queryName": "Container Host Pid Is True", + "severity": "MEDIUM", + "line": 8, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.host_pid", + "searchValue": "", + "expectedValue": "Attribute 'host_pid' should be undefined or false", + "actualValue": "Attribute 'host_pid' is true", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/kubernetes/container_is_privileged/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/container_is_privileged/test/positive_expected_result.json index 5f763d57597..a3cac7b7abc 100644 --- a/assets/queries/terraform/kubernetes/container_is_privileged/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/container_is_privileged/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Container Is Privileged", "severity": "HIGH", - "line": 14 + "line": 14, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22}}.security_context.privileged", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.privileged should be set to false", + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.privileged is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Container Is Privileged", "severity": "HIGH", - "line": 47 + "line": 47, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22222}}.security_context.privileged", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.privileged should be set to false", + "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context.privileged is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Container Is Privileged", "severity": "HIGH", - "line": 108 + "line": 108, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.security_context.privileged", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.privileged should not be set to true", + "actualValue": "kubernetes_pod[positive2].spec.container.security_context.privileged is set to true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/container_resources_limits_undefined/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/container_resources_limits_undefined/test/positive_expected_result.json index 4b76be95a1c..20563ea17f9 100644 --- a/assets/queries/terraform/kubernetes/container_resources_limits_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/container_resources_limits_undefined/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "Container Resources Limits Undefined", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].resources is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Container Resources Limits Undefined", "severity": "MEDIUM", - "line": 42 + "line": 42, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "limits", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.limits should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.limits is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Container Resources Limits Undefined", "severity": "MEDIUM", - "line": 106 + "line": 106, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.resources", + "searchValue": "requests", + "expectedValue": "kubernetes_pod[positive2].spec.container.resources.requests should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.resources.requests is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Container Resources Limits Undefined", "severity": "MEDIUM", - "line": 167 + "line": 167, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container.resources", + "searchValue": "limits", + "expectedValue": "kubernetes_pod[positive3].spec.container.resources.limits should be set", + "actualValue": "kubernetes_pod[positive3].spec.container.resources.limits is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Container Resources Limits Undefined", "severity": "MEDIUM", - "line": 224 + "line": 224, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.resources should be set", + "actualValue": "kubernetes_pod[positive4].spec.container.resources is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/kubernetes/container_runs_unmasked/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/container_runs_unmasked/test/positive_expected_result.json index 5476f5249cd..dd8fa5f8dda 100644 --- a/assets/queries/terraform/kubernetes/container_runs_unmasked/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/container_runs_unmasked/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Container Runs Unmasked", "severity": "HIGH", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.allowed_proc_mount_types", + "searchValue": "", + "expectedValue": "allowed_proc_mount_types should contain the value Default", + "actualValue": "allowed_proc_mount_types contains the value Unmasked", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/container_with_added_capabilities/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/container_with_added_capabilities/test/positive_expected_result.json index e0511da2eca..56fc020f90d 100644 --- a/assets/queries/terraform/kubernetes/container_with_added_capabilities/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/container_with_added_capabilities/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Containers With Added Capabilities", "severity": "MEDIUM", - "line": 14 + "line": 14, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.add should be undefined", + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.add is set", + "issueType": "IncorrectValue" }, { "queryName": "Containers With Added Capabilities", "severity": "MEDIUM", - "line": 49 + "line": 49, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.add should be undefined", + "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.add is set", + "issueType": "IncorrectValue" }, { "queryName": "Containers With Added Capabilities", "severity": "MEDIUM", - "line": 110 + "line": 110, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add should be undefined", + "actualValue": "kkubernetes_pod[positive2].spec.container.security_context.capabilities.add is set", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/test/positive_expected_result.json index 1431edfff6d..72f446efe35 100644 --- a/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Containers With Sys Admin Capabilities", "severity": "HIGH", - "line": 14 + "line": 14, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.add should not have 'SYS_ADMIN'", + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.add has 'SYS_ADMIN'", + "issueType": "IncorrectValue" }, { "queryName": "Containers With Sys Admin Capabilities", "severity": "HIGH", - "line": 49 + "line": 49, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.add should not have 'SYS_ADMIN'", + "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.add has 'SYS_ADMIN'", + "issueType": "IncorrectValue" }, { "queryName": "Containers With Sys Admin Capabilities", "severity": "HIGH", - "line": 110 + "line": 110, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add should not have 'SYS_ADMIN'", + "actualValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add has 'SYS_ADMIN'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/cpu_limits_not_set/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/cpu_limits_not_set/test/positive_expected_result.json index b7b26baf05f..b101e3c7698 100644 --- a/assets/queries/terraform/kubernetes/cpu_limits_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/cpu_limits_not_set/test/positive_expected_result.json @@ -2,31 +2,79 @@ { "queryName": "CPU Limits Not Set", "severity": "LOW", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].resources is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Limits Not Set", "severity": "LOW", - "line": 41 + "line": 41, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.limits should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.limits is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Limits Not Set", "severity": "LOW", - "line": 80 + "line": 80, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[2].resources.limits.cpu should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[2].resources.limits.cpu is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Limits Not Set", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.resources should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.resources is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Limits Not Set", "severity": "LOW", - "line": 192 + "line": 192, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container.resources", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container.resources.limits should be set", + "actualValue": "kubernetes_pod[positive3].spec.container.resources.limits is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Limits Not Set", "severity": "LOW", - "line": 249 + "line": 249, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container.resources.limits", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.resources.limits.cpu should be set", + "actualValue": "kubernetes_pod[positive4].spec.container.resources.limits.cpu is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/kubernetes/cpu_requests_not_set/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/cpu_requests_not_set/test/positive_expected_result.json index 49ffaaccfbb..33f01a4b8f4 100644 --- a/assets/queries/terraform/kubernetes/cpu_requests_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/cpu_requests_not_set/test/positive_expected_result.json @@ -2,31 +2,79 @@ { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].resources is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 42 + "line": 42, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.requests.cpu should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.requests.cpu is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 77 + "line": 77, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[2].resources.requests.cpu should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[2].resources.requests.cpu is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 134 + "line": 134, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.resources should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.resources is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 192 + "line": 192, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container.resources", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container.resources.requests should be set", + "actualValue": "kubernetes_pod[positive3].spec.container.resources.requests is undefined", + "issueType": "MissingAttribute" }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 258 + "line": 258, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container.resources.requests", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.resources.requests.cpu should be set", + "actualValue": "kubernetes_pod[positive4].spec.container.resources.requests.cpu is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/test/positive_expected_result.json index 7c8db3abbdc..2bfdc7456fa 100644 --- a/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "CronJob Deadline Not Configured", "severity": "LOW", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[demo].spec", + "searchValue": "", + "expectedValue": "kubernetes_cron_job[demo].spec.starting_deadline_seconds should be set", + "actualValue": "kubernetes_cron_job[demo].spec.starting_deadline_seconds is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/kubernetes/default_service_account_in_use/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/default_service_account_in_use/test/positive_expected_result.json index d4612a934f1..71b68df59fe 100644 --- a/assets/queries/terraform/kubernetes/default_service_account_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/default_service_account_in_use/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Default Service Account In Use", "severity": "LOW", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "kubernetes_service_account", + "resourceName": "default", + "searchKey": "kubernetes_service_account[example]", + "searchValue": "", + "expectedValue": "kubernetes_service_account[example].automount_service_account_token should be set", + "actualValue": "kubernetes_service_account[example].automount_service_account_token is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Default Service Account In Use", "severity": "LOW", - "line": 12 + "line": 12, + "filename": "positive.tf", + "resourceType": "kubernetes_service_account", + "resourceName": "default", + "searchKey": "kubernetes_service_account[example2].automount_service_account_token", + "searchValue": "", + "expectedValue": "kubernetes_service_account[example2].automount_service_account_token should be set to false", + "actualValue": "kubernetes_service_account[example2].automount_service_account_token is not set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json index 403b8010754..e0b8c1585ae 100644 --- a/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Deployment Has No PodAntiAffinity", "severity": "LOW", "line": 25, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example].spec.template.spec", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example].spec.template.spec.affinity should be set", + "actualValue": "kubernetes_deployment[example].spec.template.spec.affinity is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Deployment Has No PodAntiAffinity", "severity": "LOW", "line": 26, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example2].spec.template.spec.affinity", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example2].spec.template.spec.affinity.pod_anti_affinity should be set", + "actualValue": "kubernetes_deployment[example2].spec.template.spec.affinity.pod_anti_affinity is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Deployment Has No PodAntiAffinity", "severity": "LOW", "line": 28, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example3].spec.template.spec.affinity", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example3].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.topology_key should be set to 'kubernetes.io/hostname'", + "actualValue": "kubernetes_deployment[example3].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.topology_key is invalid or undefined", + "issueType": "IncorrectValue" }, { "queryName": "Deployment Has No PodAntiAffinity", "severity": "LOW", "line": 33, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example4].spec.template.spec.affinity", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example4].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.label_selector.match_labels match any label on template metadata", + "actualValue": "kubernetes_deployment[example4].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.label_selector.match_labels don't match any label on template metadata", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/test/positive_expected_result.json index 5d71a40a159..b20d6e05aab 100644 --- a/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Deployment Without PodDisruptionBudget", "severity": "LOW", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example].spec.selector.match_labels", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example].spec.selector.match_labels is targeted by a PodDisruptionBudget", + "actualValue": "kubernetes_deployment[example].spec.selector.match_labels is not targeted by a PodDisruptionBudget", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json index 396c3aff1e1..b7b28748d1d 100644 --- a/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json @@ -2,31 +2,79 @@ { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 9 + "line": 9, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test].spec.volume", + "searchValue": "", + "expectedValue": "spec.volume[0].host_path.path should not be '/var/run/docker.sock'", + "actualValue": "spec.volume[0].host_path.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue" }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 16 + "line": 16, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test].spec.volume", + "searchValue": "", + "expectedValue": "spec.volume[1].host_path.path should not be '/var/run/docker.sock'", + "actualValue": "spec.volume[1].host_path.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue" }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 96 + "line": 96, + "filename": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "example", + "searchKey": "kubernetes_deployment[example].spec.template.spec.volume", + "searchValue": "", + "expectedValue": "spec.template.spec.volume[0].host_path.path should not be '/var/run/docker.sock'", + "actualValue": "spec.template.spec.volume[0].host_path.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue" }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 103 + "line": 103, + "filename": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "example", + "searchKey": "kubernetes_deployment[example].spec.template.spec.volume", + "searchValue": "", + "expectedValue": "spec.template.spec.volume[1].host_path.path should not be '/var/run/docker.sock'", + "actualValue": "spec.template.spec.volume[1].host_path.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue" }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 164 + "line": 164, + "filename": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[demo2].spec.job_template.spec.template.spec.volume", + "searchValue": "", + "expectedValue": "spec.job_template.spec.template.spec.volume[0].host_path.path should not be '/var/run/docker.sock'", + "actualValue": "spec.job_template.spec.template.spec.volume[0].host_path.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue" }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 171 + "line": 171, + "filename": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[demo2].spec.job_template.spec.template.spec.volume", + "searchValue": "", + "expectedValue": "spec.job_template.spec.template.spec.volume[1].host_path.path should not be '/var/run/docker.sock'", + "actualValue": "spec.job_template.spec.template.spec.volume[1].host_path.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/test/positive_expected_result.json index 6dbd73ffe61..195286f613a 100644 --- a/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "HPA Targets Invalid Object", "severity": "LOW", - "line": 15 + "line": 15, + "filename": "positive.tf", + "resourceType": "kubernetes_horizontal_pod_autoscaler", + "resourceName": "test", + "searchKey": "kubernetes_horizontal_pod_autoscaler[example].spec.metric", + "searchValue": "", + "expectedValue": "kubernetes_horizontal_pod_autoscaler[example].spec.metric is a valid object", + "actualValue": "kubernetes_horizontal_pod_autoscaler[example].spec.metric is a invalid object", + "issueType": "IncorrectValue" }, { "queryName": "HPA Targets Invalid Object", "severity": "LOW", - "line": 49 + "line": 49, + "filename": "positive.tf", + "resourceType": "kubernetes_horizontal_pod_autoscaler", + "resourceName": "test", + "searchKey": "kubernetes_horizontal_pod_autoscaler[example2].spec.metric", + "searchValue": "", + "expectedValue": "kubernetes_horizontal_pod_autoscaler[example2].spec.metric is a valid object", + "actualValue": "kubernetes_horizontal_pod_autoscaler[example2].spec.metric is a invalid object", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json index be0213dc98f..28ef6f1aa7e 100644 --- a/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Image Pull Policy Of The Container Is Not Set To Always", "severity": "LOW", "line": 12, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "busybox-tf", + "searchKey": "kubernetes_pod[busybox].spec.container.image_pull_policy", + "searchValue": "", + "expectedValue": "Attribute 'image_pull_policy' should be defined as 'Always'", + "actualValue": "Attribute 'image_pull_policy' is incorrect", + "issueType": "IncorrectValue" }, { "queryName": "Image Pull Policy Of The Container Is Not Set To Always", "severity": "LOW", "line": 30, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example].spec.template.spec.container.image_pull_policy", + "searchValue": "", + "expectedValue": "Attribute 'image_pull_policy' should be defined as 'Always'", + "actualValue": "Attribute 'image_pull_policy' is incorrect", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/image_without_digest/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/image_without_digest/test/positive_expected_result.json index 95f2aae226c..b77c91ccd0f 100644 --- a/assets/queries/terraform/kubernetes/image_without_digest/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/image_without_digest/test/positive_expected_result.json @@ -2,31 +2,79 @@ { "queryName": "Image Without Digest", "severity": "LOW", - "line": 9 + "line": 9, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].image should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].image is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Image Without Digest", "severity": "LOW", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].image should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].image is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Image Without Digest", "severity": "LOW", - "line": 88 + "line": 88, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.image should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.image is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Image Without Digest", "severity": "LOW", - "line": 142 + "line": 142, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container[0].image has '@'", + "actualValue": "kubernetes_pod[positive3].spec.container[0].image does not have '@'", + "issueType": "IncorrectValue" }, { "queryName": "Image Without Digest", "severity": "LOW", - "line": 170 + "line": 170, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container[1].image has '@'", + "actualValue": "kubernetes_pod[positive3].spec.container[1].image does not have '@'", + "issueType": "IncorrectValue" }, { "queryName": "Image Without Digest", "severity": "LOW", - "line": 224 + "line": 224, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container.image", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.image has '@'", + "actualValue": "kubernetes_pod[positive4].spec.container.image does not have '@'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json index 94f5dfadaaf..90397c0d861 100644 --- a/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ - { - "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", - "severity": "MEDIUM", - "line": 166 + { + "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", + "severity": "MEDIUM", + "line": 166, + "filename": "positive.tf", + "resourceType": "kubernetes_stateful_set", + "resourceName": "prometheus", + "searchKey": "kubernetes_stateful_set[prometheus-1].spec.volume_claim_template", + "searchValue": "", + "expectedValue": "kubernetes_stateful_set[prometheus-1].spec.volume_claim_template has only one template with a 'ReadWriteOnce'", + "actualValue": "kubernetes_stateful_set[prometheus-1].spec.volume_claim_template has multiple templates with 'ReadWriteOnce'", + "issueType": "IncorrectValue" }, { - "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", - "severity": "MEDIUM", - "line": 367 + "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", + "severity": "MEDIUM", + "line": 367, + "filename": "positive.tf", + "resourceType": "kubernetes_stateful_set", + "resourceName": "prometheus", + "searchKey": "kubernetes_stateful_set[prometheus-2].spec.volume_claim_template", + "searchValue": "", + "expectedValue": "kubernetes_stateful_set[prometheus-2].spec.volume_claim_template has one template with a 'ReadWriteOnce'", + "actualValue": "kubernetes_stateful_set[prometheus-2].spec.volume_claim_template does not have a template with a 'ReadWriteOnce'", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/test/positive_expected_result.json index 65dc81ee597..717032cd641 100644 --- a/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/test/positive_expected_result.json @@ -1,20 +1,41 @@ [ - { - "queryName": "Ingress Controller Exposes Workload", - "severity": "MEDIUM", - "line": 28, - "fileName": "positive1.tf" - }, { - "queryName": "Ingress Controller Exposes Workload", - "severity": "MEDIUM", - "line": 32, - "fileName": "positive2.tf" - }, + "queryName": "Ingress Controller Exposes Workload", + "severity": "MEDIUM", + "line": 28, + "filename": "positive1.tf", + "resourceType": "kubernetes_ingress", + "resourceName": "example", + "searchKey": "kubernetes_ingress[example].spec.rule.http.path.backend", + "searchValue": "", + "expectedValue": "kubernetes_ingress[example] should not be exposing the workload", + "actualValue": "kubernetes_ingress[example] is exposing the workload", + "issueType": "IncorrectValue" + }, { - "queryName": "Ingress Controller Exposes Workload", - "severity": "MEDIUM", - "line": 28, - "fileName": "positive3.tf" - } + "queryName": "Ingress Controller Exposes Workload", + "severity": "MEDIUM", + "line": 32, + "filename": "positive2.tf", + "resourceType": "kubernetes_ingress", + "resourceName": "example-ingress", + "searchKey": "kubernetes_ingress[example-ingress-2].spec.rule.http.path.backend", + "searchValue": "", + "expectedValue": "kubernetes_ingress[example-ingress-2] should not be exposing the workload", + "actualValue": "kubernetes_ingress[example-ingress-2] is exposing the workload", + "issueType": "IncorrectValue" + }, + { + "queryName": "Ingress Controller Exposes Workload", + "severity": "MEDIUM", + "line": 28, + "filename": "positive3.tf", + "resourceType": "kubernetes_ingress", + "resourceName": "example-4", + "searchKey": "kubernetes_ingress[example-4].spec.rule.http.path.backend", + "searchValue": "", + "expectedValue": "kubernetes_ingress[example-4] should not be exposing the workload", + "actualValue": "kubernetes_ingress[example-4] is exposing the workload", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/kubernetes/invalid_image/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/invalid_image/test/positive_expected_result.json index e716875d876..9ffa218c56f 100644 --- a/assets/queries/terraform/kubernetes/invalid_image/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/invalid_image/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Invalid Image", "severity": "LOW", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container.image", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container.image should not be empty or latest", + "actualValue": "kubernetes_pod[positive1].spec.container.image is empty or latest", + "issueType": "IncorrectValue" }, { "queryName": "Invalid Image", "severity": "LOW", - "line": 60 + "line": 60, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.image should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.image is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Invalid Image", "severity": "LOW", - "line": 113 + "line": 113, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container[0].image should not be empty or latest", + "actualValue": "kubernetes_pod[positive3].spec.container[0].image is empty or latest", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/test/positive_expected_result.json index 85c9711ffc6..f87e86235a8 100644 --- a/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Liveness Probe Is Not Defined", "severity": "INFO", "line": 7, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test].spec.container", + "searchValue": "", + "expectedValue": "Attribute 'livenessProbe' should be defined and not null", + "actualValue": "Attribute 'livenessProbe' is undefined or null", + "issueType": "MissingAttribute" }, { "queryName": "Liveness Probe Is Not Defined", "severity": "INFO", "line": 27, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example].spec.template.spec.container", + "searchValue": "", + "expectedValue": "Attribute 'livenessProbe' should be defined and not null", + "actualValue": "Attribute 'livenessProbe' is undefined or null", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/memory_limits_not_defined/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/memory_limits_not_defined/test/positive_expected_result.json index c597226e123..17a12a37101 100644 --- a/assets/queries/terraform/kubernetes/memory_limits_not_defined/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/memory_limits_not_defined/test/positive_expected_result.json @@ -2,46 +2,118 @@ { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 15 + "line": 15, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources.limits.memory should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].resources.limits.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 53 + "line": 53, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.limits.memory should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.limits.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 107 + "line": 107, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container[0].resources should be set", + "actualValue": "kubernetes_pod[positive2].spec.container[0].resources is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 136 + "line": 136, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container[1].resources should be set", + "actualValue": "kubernetes_pod[positive2].spec.container[1].resources is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 193 + "line": 193, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container[0].resources.limits should be set", + "actualValue": "kubernetes_pod[positive3].spec.container[0].resources.limits is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 228 + "line": 228, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container[1].resources.limits should be set", + "actualValue": "kubernetes_pod[positive3].spec.container[1].resources.limits is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 288 + "line": 288, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container.resources.limits", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.resources.limits.memory should be set", + "actualValue": "kubernetes_pod[positive4].spec.container.resources.limits.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 343 + "line": 343, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive5", + "searchKey": "kubernetes_pod[positive5].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive5].spec.container.resources should be set", + "actualValue": "kubernetes_pod[positive5].spec.container.resources is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 400 + "line": 400, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive6", + "searchKey": "kubernetes_pod[positive6].spec.container.resources", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive6].spec.container.resources.limits should be set", + "actualValue": "kubernetes_pod[positive6].spec.container.resources.limits is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/kubernetes/memory_requests_not_defined/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/memory_requests_not_defined/test/positive_expected_result.json index 3c6c5a5ea26..b644176dd28 100644 --- a/assets/queries/terraform/kubernetes/memory_requests_not_defined/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/memory_requests_not_defined/test/positive_expected_result.json @@ -2,46 +2,118 @@ { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 12 + "line": 12, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources.requests.memory should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].resources.requests.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 51 + "line": 51, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.requests.memory should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.requests.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 109 + "line": 109, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container[0].resources should be set", + "actualValue": "kubernetes_pod[positive2].spec.container[0].resources is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 138 + "line": 138, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container[1].resources should be set", + "actualValue": "kubernetes_pod[positive2].spec.container[1].resources is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 195 + "line": 195, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container[0].resources.requests should be set", + "actualValue": "kubernetes_pod[positive3].spec.container[0].resources.requests is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 231 + "line": 231, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container[1].resources.requests should be set", + "actualValue": "kubernetes_pod[positive3].spec.container[1].resources.requests is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 296 + "line": 296, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container.resources.requests", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.resources.requests.memory should be set", + "actualValue": "kubernetes_pod[positive4].spec.container.resources.requests.memory is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 350 + "line": 350, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive5", + "searchKey": "kubernetes_pod[positive5].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive5].spec.container.resources should be set", + "actualValue": "kubernetes_pod[positive5].spec.container.resources is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 408 + "line": 408, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive6", + "searchKey": "kubernetes_pod[positive6].spec.container.resources", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive6].spec.container.resources.requests should be set", + "actualValue": "kubernetes_pod[positive6].spec.container.resources.requests is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/positive_expected_result.json index be2692d29e4..587133dcb16 100644 --- a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Metadata Label Is Invalid", "severity": "LOW", - "line": 5 + "line": 5, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test", + "searchKey": "kubernetes_pod[test].metadata.labels", + "searchValue": "", + "expectedValue": "kubernetes_pod[test].metada.labels[app] has valid label", + "actualValue": "kubernetes_pod[test].metada.labels[app] has invalid label", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/missing_app_armor_config/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/missing_app_armor_config/test/positive_expected_result.json index c43d7e7304b..3f632f79aa4 100644 --- a/assets/queries/terraform/kubernetes/missing_app_armor_config/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/missing_app_armor_config/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Missing App Armor Config", "severity": "MEDIUM", - "line": 4 + "line": 4, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example1", + "searchKey": "kubernetes_pod[example1].metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_pod[example1].metadata.annotations should contain AppArmor profile config: 'container.apparmor.security.beta.kubernetes.io'", + "actualValue": "kubernetes_pod[example1].metadata.annotations doesn't contain AppArmor profile config: 'container.apparmor.security.beta.kubernetes.io'", + "issueType": "IncorrectValue" }, { "queryName": "Missing App Armor Config", "severity": "MEDIUM", - "line": 58 + "line": 58, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_pod[example2].metadata", + "searchValue": "", + "expectedValue": "kubernetes_pod[example2].metadata should include annotations for AppArmor profile config", + "actualValue": "kubernetes_pod[example2].metadata doesn't contain AppArmor profile config in annotations", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json index 5d875e4801c..d767b2c118e 100644 --- a/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "NET_RAW Capabilities Disabled for PSP", "severity": "MEDIUM", - "line": 17 + "line": 17, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.required_drop_capabilities", + "searchValue": "", + "expectedValue": "spec.required_drop_capabilities 'is ALL or NET_RAW'", + "actualValue": "spec.required_drop_capabilities 'is not ALL or NET_RAW'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json index 163f143b573..5d06d443fdb 100644 --- a/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json @@ -2,61 +2,157 @@ { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 13 + "line": 13, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.drop should be set", + "actualValue": "kkubernetes_pod[positive1].spec.container[0].security_context.capabilities.drop is undefined", + "issueType": "MissingAttribute" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 47 + "line": 47, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.drop should be set", + "actualValue": "kkubernetes_pod[positive1].spec.container[1].security_context.capabilities.drop is undefined", + "issueType": "MissingAttribute" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 82 + "line": 82, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[2].security_context.capabilities.drop is ALL or NET_RAW", + "actualValue": "kubernetes_pod[positive1].spec.container[2].security_context.capabilities.drop is not ALL or NET_RAW", + "issueType": "IncorrectValue" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 117 + "line": 117, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[3].security_context.capabilities.drop is ALL or NET_RAW", + "actualValue": "kubernetes_pod[positive1].spec.container[3].security_context.capabilities.drop is not ALL or NET_RAW", + "issueType": "IncorrectValue" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 150 + "line": 150, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[4].security_context.capabilities should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[4].security_context.capabilities is undefined", + "issueType": "MissingAttribute" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 183 + "line": 183, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[5].security_context.capabilities should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[5].security_context.capabilities is undefined", + "issueType": "MissingAttribute" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 212 + "line": 212, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[6].security_context should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[6].security_context is undefined", + "issueType": "MissingAttribute" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 241 + "line": 241, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[7].security_context should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[7].security_context is undefined", + "issueType": "MissingAttribute" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 299 + "line": 299, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.security_context.capabilities", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.drop should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.drop is undefined", + "issueType": "MissingAttribute" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 358 + "line": 358, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container.security_context.capabilities.drop", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container.security_context.capabilities.drop is ALL or NET_RAW", + "actualValue": "kubernetes_pod[positive3].spec.container.security_context.capabilities.drop is not ALL or NET_RAW", + "issueType": "IncorrectValue" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 415 + "line": 415, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container.security_context", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.security_context.capabilities should be set", + "actualValue": "kubernetes_pod[positive4].spec.container.security_context.capabilities is undefined", + "issueType": "MissingAttribute" }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 467 + "line": 467, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive5", + "searchKey": "kubernetes_pod[positive5].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive5].spec.container.security_context should be set", + "actualValue": "kubernetes_pod[positive5].spec.container.security_context is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json index 8db62c08375..b991ca5e966 100644 --- a/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Network Policy Is Not Targeting Any Pod", "severity": "LOW", - "line": 14 + "line": 14, + "filename": "positive.tf", + "resourceType": "kubernetes_network_policy", + "resourceName": "terraform-example-network-policy", + "searchKey": "kubernetes_network_policy[example].spec.pod_selector.match_labels", + "searchValue": "", + "expectedValue": "kubernetes_network_policy[example].spec.pod_selector.match_labels is targeting at least a pod", + "actualValue": "kubernetes_network_policy[example].spec.pod_selector.match_labels is not targeting any pod", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/test/positive_expected_result.json index 27f74e88b00..903ee2edcf9 100644 --- a/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/test/positive_expected_result.json @@ -3,54 +3,117 @@ "queryName": "No Drop Capabilities for Containers", "severity": "LOW", "line": 12, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test10", + "searchKey": "kubernetes_pod[test10].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test10].spec.container[0].security_context.capabilities.drop should be set", + "actualValue": "kubernetes_pod[test10].spec.container[0].security_context.capabilities.drop is undefined", + "issueType": "MissingAttribute" }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", "line": 47, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test10", + "searchKey": "kubernetes_pod[test10].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test10].spec.container[1].security_context.capabilities.drop should be set", + "actualValue": "kubernetes_pod[test10].spec.container[1].security_context.capabilities.drop is undefined", + "issueType": "MissingAttribute" }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", "line": 141, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test11", + "searchKey": "kubernetes_pod[test11].spec.container.security_context.capabilities", + "searchValue": "", + "expectedValue": "kubernetes_pod[test11].spec.container.security_context.capabilities.drop should be set", + "actualValue": "kubernetes_pod[test11].spec.container.security_context.capabilities.drop is undefined", + "issueType": "IncorrectValue" }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", "line": 11, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test20", + "searchKey": "kubernetes_pod[test20].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test20].spec.container[0].security_context.capabilities should be set", + "actualValue": "kubernetes_pod[test20].spec.container[0].security_context.capabilities is undefined", + "issueType": "MissingAttribute" }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", "line": 44, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test20", + "searchKey": "kubernetes_pod[test20].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test20].spec.container[1].security_context.capabilities should be set", + "actualValue": "kubernetes_pod[test20].spec.container[1].security_context.capabilities is undefined", + "issueType": "MissingAttribute" }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", "line": 136, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test21", + "searchKey": "kubernetes_pod[test21].spec.container.security_context", + "searchValue": "", + "expectedValue": "kubernetes_pod[test21].spec.container.security_context.capabilities should be set", + "actualValue": "kubernetes_pod[test21].spec.container.security_context.capabilities is undefined", + "issueType": "MissingAttribute" }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", "line": 7, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test30", + "searchKey": "kubernetes_pod[test30].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test30].spec.container[0].security_context should be set", + "actualValue": "kubernetes_pod[test30].spec.container[0].security_context is undefined", + "issueType": "MissingAttribute" }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", "line": 36, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test30", + "searchKey": "kubernetes_pod[test30].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test30].spec.container[1].security_context should be set", + "actualValue": "kubernetes_pod[test30].spec.container[1].security_context is undefined", + "issueType": "MissingAttribute" }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", "line": 124, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test31", + "searchKey": "kubernetes_pod[test31].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test31].spec.container.security_context should be set", + "actualValue": "kubernetes_pod[test31].spec.container.security_context is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/test/positive_expected_result.json index be69b39ed6f..f23b522a8ba 100644 --- a/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/test/positive_expected_result.json @@ -2,21 +2,53 @@ { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 53 + "line": 53, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test].spec.volume.host_path.path", + "searchValue": "", + "expectedValue": "Resource name 'terraform-example' in non kube-system namespace 'kube' should not have host_path '/var/log' mounted", + "actualValue": "Resource name 'terraform-example' in non kube-system namespace 'kube' has a host_path '/var/log' mounted", + "issueType": "IncorrectValue" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 113 + "line": 113, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_pod[test2].spec.volume.host_path.path", + "searchValue": "", + "expectedValue": "Resource name 'terraform-example2' in non kube-system namespace 'default' should not have host_path '/var/log' mounted", + "actualValue": "Resource name 'terraform-example2' in non kube-system namespace 'default' has a host_path '/var/log' mounted", + "issueType": "IncorrectValue" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 173 + "line": 173, + "filename": "positive.tf", + "resourceType": "kubernetes_persistent_volume", + "resourceName": "terraform-example3", + "searchKey": "kubernetes_persistent_volume[test3].spec.volume.host_path.path", + "searchValue": "", + "expectedValue": "Resource name 'terraform-example3' in non kube-system namespace 'kube' should not have host_path '/var/log' mounted", + "actualValue": "Resource name 'terraform-example3' in non kube-system namespace 'kube' has a host_path '/var/log' mounted", + "issueType": "IncorrectValue" }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 233 + "line": 233, + "filename": "positive.tf", + "resourceType": "kubernetes_persistent_volume", + "resourceName": "terraform-example4", + "searchKey": "kubernetes_persistent_volume[test4].spec.volume.host_path.path", + "searchValue": "", + "expectedValue": "Resource name 'terraform-example4' in non kube-system namespace 'default' should not have host_path '/var/log' mounted", + "actualValue": "Resource name 'terraform-example4' in non kube-system namespace 'default' has a host_path '/var/log' mounted", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/test/positive_expected_result.json index 407515d5dbd..bc3f00953a5 100644 --- a/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/test/positive_expected_result.json @@ -3,48 +3,104 @@ "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 13, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_role", + "resourceName": "terraform-example1", + "searchKey": "kubernetes_role[example1].rule.verbs.create", + "searchValue": "create/pods", + "expectedValue": "kubernetes_role[example1].rule.verbs should not contain the value 'create' when kubernetes_role[example1].rule.resources contains the value 'pods'", + "actualValue": "kubernetes_role[example1].rule.verbs contains the value 'create' and kubernetes_role[example1].rule.resources contains the value 'pods'", + "issueType": "IncorrectValue" }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 35, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_role", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_role[example2].rule.verbs.create", + "searchValue": "create/*", + "expectedValue": "kubernetes_role[example2].rule.verbs should not contain the value 'create' when kubernetes_role[example2].rule.resources contains a wildcard value", + "actualValue": "kubernetes_role[example2].rule.verbs contains the value 'create' and kubernetes_role[example2].rule.resources contains a wildcard value", + "issueType": "IncorrectValue" }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 57, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_role", + "resourceName": "terraform-example3", + "searchKey": "kubernetes_role[example3].rule.verbs.*", + "searchValue": "*/pods", + "expectedValue": "kubernetes_role[example3].rule.verbs should not contain a wildcard value when kubernetes_role[example3].rule.resources contains the value 'pods'", + "actualValue": "kubernetes_role[example3].rule.verbs contains a wildcard value and kubernetes_role[example3].rule.resources contains the value 'pods'", + "issueType": "IncorrectValue" }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 79, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_role", + "resourceName": "terraform-example4", + "searchKey": "kubernetes_role[example4].rule.verbs.*", + "searchValue": "*/*", + "expectedValue": "kubernetes_role[example4].rule.verbs should not contain a wildcard value when kubernetes_role[example4].rule.resources contains a wildcard value", + "actualValue": "kubernetes_role[example4].rule.verbs contains a wildcard value and kubernetes_role[example4].rule.resources contains a wildcard value", + "issueType": "IncorrectValue" }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_cluster_role", + "resourceName": "terraform-example1", + "searchKey": "kubernetes_cluster_role[example1].rule.verbs.create", + "searchValue": "create/pods", + "expectedValue": "kubernetes_cluster_role[example1].rule.verbs should not contain the value 'create' when kubernetes_cluster_role[example1].rule.resources contains the value 'pods'", + "actualValue": "kubernetes_cluster_role[example1].rule.verbs contains the value 'create' and kubernetes_cluster_role[example1].rule.resources contains the value 'pods'", + "issueType": "IncorrectValue" }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_cluster_role", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_cluster_role[example2].rule.verbs.create", + "searchValue": "create/*", + "expectedValue": "kubernetes_cluster_role[example2].rule.verbs should not contain the value 'create' when kubernetes_cluster_role[example2].rule.resources contains a wildcard value", + "actualValue": "kubernetes_cluster_role[example2].rule.verbs contains the value 'create' and kubernetes_cluster_role[example2].rule.resources contains a wildcard value", + "issueType": "IncorrectValue" }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 33, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_cluster_role", + "resourceName": "terraform-example3", + "searchKey": "kubernetes_cluster_role[example3].rule.verbs.*", + "searchValue": "*/*", + "expectedValue": "kubernetes_cluster_role[example3].rule.verbs should not contain a wildcard value when kubernetes_cluster_role[example3].rule.resources contains a wildcard value", + "actualValue": "kubernetes_cluster_role[example3].rule.verbs contains a wildcard value and kubernetes_cluster_role[example3].rule.resources contains a wildcard value", + "issueType": "IncorrectValue" }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 45, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_cluster_role", + "resourceName": "terraform-example4", + "searchKey": "kubernetes_cluster_role[example4].rule.verbs.*", + "searchValue": "*/pods", + "expectedValue": "kubernetes_cluster_role[example4].rule.verb should not contain a wildcard value when kubernetes_cluster_role[example4].rule.resources contains the value 'pods'", + "actualValue": "kubernetes_cluster_role[example4].rule.verb contains a wildcard value and kubernetes_cluster_role[example4].rule.resources contains the value 'pods'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/test/positive_expected_result.json index 597ff9f41c0..cb8fffff383 100644 --- a/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "Pod or Container Without Security Context", "severity": "LOW", - "line": 6 + "line": 6, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[positive1].spec", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.security_context should be set", + "actualValue": "kubernetes_pod[positive1].spec.security_context is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pod or Container Without Security Context", "severity": "LOW", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pod or Container Without Security Context", "severity": "LOW", - "line": 36 + "line": 36, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pod or Container Without Security Context", "severity": "LOW", - "line": 88 + "line": 88, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[positive2].spec", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.security_context should be set", + "actualValue": "kubernetes_pod[positive2].spec.security_context is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Pod or Container Without Security Context", "severity": "LOW", - "line": 89 + "line": 89, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.security_context is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/kubernetes/privilege_escalation_allowed/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/privilege_escalation_allowed/test/positive_expected_result.json index 291dc7b524f..3feb8e570fa 100644 --- a/assets/queries/terraform/kubernetes/privilege_escalation_allowed/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/privilege_escalation_allowed/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Privilege Escalation Allowed", "severity": "HIGH", - "line": 14 + "line": 14, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22}}.security_context.allow_privilege_escalation", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.allow_privilege_escalation should not be set to true", + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.allow_privilege_escalation is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Privilege Escalation Allowed", "severity": "HIGH", - "line": 47 + "line": 47, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22222}}.security_context.allow_privilege_escalation", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.allow_privilege_escalation should not be set to true", + "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context.allow_privilege_escalation is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Privilege Escalation Allowed", "severity": "HIGH", - "line": 108 + "line": 108, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.security_context.allow_privilege_escalation", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.allow_privilege_escalation should not be set to true", + "actualValue": "kubernetes_pod[positive2].spec.container.security_context.allow_privilege_escalation is set to true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/test/positive_expected_result.json index 116cddb31d2..19282f91fec 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "PSP Allows Containers To Share The Host Network Namespace", "severity": "HIGH", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.host_network", + "searchValue": "", + "expectedValue": "'spec.hostNetwork' should be set to false or undefined", + "actualValue": "'spec.hostNetwork' is true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/test/positive_expected_result.json index fb790fc97db..9514f955cc7 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "PSP Allows Privilege Escalation", "severity": "HIGH", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation should be set to false", + "actualValue": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation is set to true", + "issueType": "IncorrectValue" }, { "queryName": "PSP Allows Privilege Escalation", "severity": "HIGH", - "line": 50 + "line": 50, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example2].spec", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example2].spec.allow_privilege_escalation should be set", + "actualValue": "kubernetes_pod_security_policy[example2].spec.allow_privilege_escalation is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/test/positive_expected_result.json index 65f43ef0cb9..74a7600a9fd 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "PSP Allows Sharing Host IPC", "severity": "HIGH", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example2].spec.host_ipc", + "searchValue": "", + "expectedValue": "Attribute 'host_ipc' should be undefined or false", + "actualValue": "Attribute 'host_ipc' is true", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/psp_set_to_privileged/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/psp_set_to_privileged/test/positive_expected_result.json index 18055bdda6c..cc2dd2e30f1 100644 --- a/assets/queries/terraform/kubernetes/psp_set_to_privileged/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/psp_set_to_privileged/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "PSP Set To Privileged", "severity": "HIGH", - "line": 6 + "line": 6, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.privileged", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.privileged should be set to false", + "actualValue": "kubernetes_pod_security_policy[example].spec.privileged is not set to false", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/psp_with_added_capabilities/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/psp_with_added_capabilities/test/positive_expected_result.json index 9721fb8119a..7bdea3ee5ef 100644 --- a/assets/queries/terraform/kubernetes/psp_with_added_capabilities/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/psp_with_added_capabilities/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "PSP With Added Capabilities", "severity": "HIGH", - "line": 6 + "line": 6, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.allowed_capabilities", + "searchValue": "", + "expectedValue": "Pod Security Policy example should not have allowed capabilities", + "actualValue": "Pod Security Policy example has allowed capabilities", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json index 8a2bf2e74fc..b2eca4b5a64 100644 --- a/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json @@ -2,21 +2,53 @@ { "queryName": "RBAC Roles with Read Secrets Permissions", "severity": "MEDIUM", - "line": 9 + "line": 9, + "filename": "positive.tf", + "resourceType": "kubernetes_role", + "resourceName": "terraform-example1", + "searchKey": "kubernetes_role[example1].rule", + "searchValue": "", + "expectedValue": "Rules don't give access to 'secrets' resources", + "actualValue": "Some rule is giving access to 'secrets' resources", + "issueType": "IncorrectValue" }, { "queryName": "RBAC Roles with Read Secrets Permissions", "severity": "MEDIUM", - "line": 27 + "line": 27, + "filename": "positive.tf", + "resourceType": "kubernetes_cluster_role", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_cluster_role[example2].rule", + "searchValue": "", + "expectedValue": "Rules don't give access to 'secrets' resources", + "actualValue": "Some rule is giving access to 'secrets' resources", + "issueType": "IncorrectValue" }, { "queryName": "RBAC Roles with Read Secrets Permissions", "severity": "MEDIUM", - "line": 48 + "line": 48, + "filename": "positive.tf", + "resourceType": "kubernetes_role", + "resourceName": "terraform-example3", + "searchKey": "kubernetes_role[example3].rule", + "searchValue": "", + "expectedValue": "Rules don't give access to 'secrets' resources", + "actualValue": "Some rule is giving access to 'secrets' resources", + "issueType": "IncorrectValue" }, { "queryName": "RBAC Roles with Read Secrets Permissions", "severity": "MEDIUM", - "line": 62 + "line": 62, + "filename": "positive.tf", + "resourceType": "kubernetes_cluster_role", + "resourceName": "terraform-example4", + "searchKey": "kubernetes_cluster_role[example4].rule", + "searchValue": "", + "expectedValue": "Rules don't give access to 'secrets' resources", + "actualValue": "Some rule is giving access to 'secrets' resources", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/test/positive_expected_result.json index ffe1dad2b4d..09b5f5ba6af 100644 --- a/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Readiness Probe Is Not Configured", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test", + "searchKey": "kubernetes_pod[test].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test].spec.container.readiness_probe should be set", + "actualValue": "kubernetes_pod[test].spec.container.readiness_probe is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Readiness Probe Is Not Configured", "severity": "MEDIUM", - "line": 60 + "line": 60, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test2", + "searchKey": "kubernetes_pod[test2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test2].spec.container[0].readiness_probe should be set", + "actualValue": "kubernetes_pod[test2].spec.container[0].readiness_probe is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Readiness Probe Is Not Configured", "severity": "MEDIUM", - "line": 89 + "line": 89, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test2", + "searchKey": "kubernetes_pod[test2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test2].spec.container[1].readiness_probe should be set", + "actualValue": "kubernetes_pod[test2].spec.container[1].readiness_probe is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/test/positive_expected_result.json index 72f7c8c2f21..71b7f036efd 100644 --- a/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Role Binding To Default Service Account", "severity": "MEDIUM", - "line": 1 + "line": 1, + "filename": "positive.tf", + "resourceType": "kubernetes_role_binding", + "resourceName": "terraform-example", + "searchKey": "resource.kubernetes_role_binding[example]", + "searchValue": "", + "expectedValue": "resource.kubernetes_role_binding[example].subject[1].name should not be default", + "actualValue": "resource.kubernetes_role_binding[example].subject[1].name is default", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/test/positive_expected_result.json index 0bf69a1330c..480eb6c3108 100644 --- a/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/test/positive_expected_result.json @@ -2,16 +2,40 @@ { "queryName": "Root Container Not Mounted As Read-only", "severity": "LOW", - "line": 14 + "line": 14, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22}}.security_context.read_only_root_filesystem", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.read_only_root_filesystem should be set to true", + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.read_only_root_filesystem is not set to true", + "issueType": "IncorrectValue" }, { "queryName": "Root Container Not Mounted As Read-only", "severity": "LOW", - "line": 44 + "line": 44, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22222}}", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[%!d(string={\"env\": {\"name\": \"environment\", \"value\": \"test\"}, \"image\": \"nginx:1.7.9\", \"liveness_probe\": {\"http_get\": {\"http_header\": {\"name\": \"X-Custom-Header\", \"value\": \"Awesome\"}, \"path\": \"/nginx_status\", \"port\": 80}, \"initial_delay_seconds\": 3, \"period_seconds\": 3}, \"name\": \"example22222\", \"port\": {\"container_port\": 8080}})].security_context should be set", + "actualValue": "kkubernetes_pod[positive1].spec.container[%!d(string={\"env\": {\"name\": \"environment\", \"value\": \"test\"}, \"image\": \"nginx:1.7.9\", \"liveness_probe\": {\"http_get\": {\"http_header\": {\"name\": \"X-Custom-Header\", \"value\": \"Awesome\"}, \"path\": \"/nginx_status\", \"port\": 80}, \"initial_delay_seconds\": 3, \"period_seconds\": 3}, \"name\": \"example22222\", \"port\": {\"container_port\": 8080}})].security_context is undefined", + "issueType": "IncorrectValue" }, { "queryName": "Root Container Not Mounted As Read-only", "severity": "LOW", - "line": 103 + "line": 103, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.security_context", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.read_only_root_filesystem should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.security_context.read_only_root_filesystem is undefined", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/root_containers_admitted/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/root_containers_admitted/test/positive_expected_result.json index cef67ea3ebd..fbb1afd142f 100644 --- a/assets/queries/terraform/kubernetes/root_containers_admitted/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/root_containers_admitted/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 6 + "line": 6, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.privileged", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.privileged should be set to false", + "actualValue": "kubernetes_pod_security_policy[example].spec.privileged is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation should be set to false", + "actualValue": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 19 + "line": 19, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.run_as_user.rule", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.run_as_user.rule is equal to 'MustRunAsNonRoot'", + "actualValue": "kubernetes_pod_security_policy[example].spec.run_as_user.rule is not equal to 'MustRunAsNonRoot'", + "issueType": "IncorrectValue" }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 27 + "line": 27, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.supplemental_groups.rule", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.supplemental_groups.rule limits its ranges", + "actualValue": "kubernetes_pod_security_policy[example].spec.supplemental_groups.rule does not limit its ranges", + "issueType": "IncorrectValue" }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 37 + "line": 37, + "filename": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.fs_group.range.min", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.fs_group.range.min should not allow range '0' (root)", + "actualValue": "kubernetes_pod_security_policy[example].spec.fs_group.range.min allows range '0' (root)", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/test/positive_expected_result.json index d0fae507cba..7b8d3a81f35 100644 --- a/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/test/positive_expected_result.json @@ -2,46 +2,118 @@ { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 2 + "line": 2, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[pod1].metadata", + "searchValue": "", + "expectedValue": "kubernetes_pod[pod1].metadata.annotations should be set", + "actualValue": "kubernetes_pod[pod1].metadata.annotations is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 58 + "line": 58, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[pod2].metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_pod[pod2].metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName should be set", + "actualValue": "kubernetes_pod[pod2].metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 115 + "line": 115, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[pod3].metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_pod[pod3].metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", + "actualValue": "kubernetes_pod[pod3].metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'", + "issueType": "IncorrectValue" }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 184 + "line": 184, + "filename": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[cron1].spec.job_template.spec.template.metadata", + "searchValue": "", + "expectedValue": "kubernetes_cron_job[cron1].spec.job_template.spec.template.metadata.annotations should be set", + "actualValue": "kubernetes_cron_job[cron1].spec.job_template.spec.template.metadata.annotations is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 215 + "line": 215, + "filename": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[cron2].spec.job_template.spec.template.metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_cron_job[cron2].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName should be set", + "actualValue": "kubernetes_cron_job[cron2].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 249 + "line": 249, + "filename": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[cron3].spec.job_template.spec.template.metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_cron_job[cron3].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", + "actualValue": "kubernetes_cron_job[cron3].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'", + "issueType": "IncorrectValue" }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 284 + "line": 284, + "filename": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "deployment1", + "searchKey": "kubernetes_deployment[deployment1].spec.template.metadata", + "searchValue": "", + "expectedValue": "kubernetes_deployment[deployment1].spec.template.metadata.annotations should be set", + "actualValue": "kubernetes_deployment[deployment1].spec.template.metadata.annotations is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 348 + "line": 348, + "filename": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "deployment2", + "searchKey": "kubernetes_deployment[deployment2].spec.template.metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_deployment[deployment2].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName should be set", + "actualValue": "kubernetes_deployment[deployment2].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 411 + "line": 411, + "filename": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "deployment3", + "searchKey": "kubernetes_deployment[deployment3].spec.template.metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_deployment[deployment3].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", + "actualValue": "kubernetes_deployment[deployment3].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/secrets_as_environment_variables/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/secrets_as_environment_variables/test/positive_expected_result.json index 369bb9a954f..100ad87ea1d 100644 --- a/assets/queries/terraform/kubernetes/secrets_as_environment_variables/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/secrets_as_environment_variables/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Secrets As Environment Variables", "severity": "LOW", - "line": 11 + "line": 11, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test", + "searchKey": "kubernetes_pod[test].spec.container.env", + "searchValue": "", + "expectedValue": "kubernetes_pod[test].spec.container.env.value_from.secret_key_ref should be undefined", + "actualValue": "kubernetes_pod[test].spec.container.env.value_from.secret_key_ref is set", + "issueType": "IncorrectValue" }, { "queryName": "Secrets As Environment Variables", "severity": "LOW", - "line": 20 + "line": 20, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test", + "searchKey": "kubernetes_pod[test].spec.container.env_from", + "searchValue": "", + "expectedValue": "kubernetes_pod[test].spec.container.env_from.secret_ref should be undefined", + "actualValue": "kubernetes_pod[test].spec.container.env_from.secret_ref is set", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/test/positive_expected_result.json index fe3d702c932..48a474d485e 100644 --- a/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/test/positive_expected_result.json @@ -1,12 +1,28 @@ [ - { - "queryName": "Service Account Allows Access Secrets", - "severity": "MEDIUM", - "line": 7 - }, { - "queryName": "Service Account Allows Access Secrets", - "severity": "MEDIUM", - "line": 49 - } + "queryName": "Service Account Allows Access Secrets", + "severity": "MEDIUM", + "line": 7, + "filename": "positive.tf", + "resourceType": "kubernetes_cluster_role", + "resourceName": "cluster_role_name", + "searchKey": "kubernetes_cluster_role[cluster_role_name].rule", + "searchValue": "", + "expectedValue": "kubernetes_cluster_role[cluster_role_name].rule.verbs should not contain the following verbs: [\"get\", \"watch\", \"list\", \"*\"]", + "actualValue": "kubernetes_cluster_role[cluster_role_name].rule.verbs contain one of the following verbs: [\"get\", \"watch\", \"list\", \"*\"]", + "issueType": "IncorrectValue" + }, + { + "queryName": "Service Account Allows Access Secrets", + "severity": "MEDIUM", + "line": 49, + "filename": "positive.tf", + "resourceType": "kubernetes_role", + "resourceName": "role_name", + "searchKey": "kubernetes_role[role_name].rule", + "searchValue": "", + "expectedValue": "kubernetes_role[role_name].rule.verbs should not contain the following verbs: [\"get\", \"watch\", \"list\", \"*\"]", + "actualValue": "kubernetes_role[role_name].rule.verbs contain one of the following verbs: [\"get\", \"watch\", \"list\", \"*\"]", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/test/positive_expected_result.json index 27d1d3d2d7e..af3d51eb554 100644 --- a/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/test/positive_expected_result.json @@ -1,20 +1,41 @@ [ - { - "queryName": "Service Account Name Undefined Or Empty", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive1.tf" - }, { - "queryName": "Service Account Name Undefined Or Empty", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.tf" - }, + "queryName": "Service Account Name Undefined Or Empty", + "severity": "MEDIUM", + "line": 6, + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test1].spec", + "searchValue": "", + "expectedValue": "kubernetes_pod[test1].spec.service_account_name should be defined and not null", + "actualValue": "kubernetes_pod[test1].spec.service_account_name is undefined or null", + "issueType": "MissingAttribute" + }, { - "queryName": "Service Account Name Undefined Or Empty", - "severity": "MEDIUM", - "line": 36, - "fileName": "positive3.tf" - } + "queryName": "Service Account Name Undefined Or Empty", + "severity": "MEDIUM", + "line": 6, + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test2].spec", + "searchValue": "", + "expectedValue": "kubernetes_pod[test2].spec.service_account_name should be defined and not null", + "actualValue": "kubernetes_pod[test2].spec.service_account_name is undefined or null", + "issueType": "MissingAttribute" + }, + { + "queryName": "Service Account Name Undefined Or Empty", + "severity": "MEDIUM", + "line": 36, + "filename": "positive3.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test3].spec.service_account_name", + "searchValue": "", + "expectedValue": "kubernetes_pod[test3].spec.service_account_name is correct", + "actualValue": "kubernetes_pod[test3].spec.service_account_name is null or empty", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/test/positive_expected_result.json index 426e5be9aa5..fee1c8f83c7 100644 --- a/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/test/positive_expected_result.json @@ -2,21 +2,53 @@ { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", - "line": 25 + "line": 25, + "filename": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "example", + "searchKey": "kubernetes_deployment[example].spec.template.spec", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example].spec.template.spec.automount_service_account_token should be set", + "actualValue": "kubernetes_deployment[example].spec.template.spec.automount_service_account_token is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", - "line": 88 + "line": 88, + "filename": "positive.tf", + "resourceType": "kubernetes_daemonset", + "resourceName": "example2", + "searchKey": "kubernetes_daemonset[example2].spec.template.spec.automount_service_account_token", + "searchValue": "", + "expectedValue": "kubernetes_daemonset[example2].spec.template.spec.automount_service_account_token should be set to false", + "actualValue": "kubernetes_daemonset[example2].spec.template.spec.automount_service_account_token is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", - "line": 144 + "line": 144, + "filename": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[demo3].spec.job_template.spec.template.spec.automount_service_account_token", + "searchValue": "", + "expectedValue": "kubernetes_cron_job[demo3].spec.job_template.spec.template.spec.automount_service_account_token should be set to false", + "actualValue": "kubernetes_cron_job[demo3].spec.job_template.spec.template.spec.automount_service_account_token is set to true", + "issueType": "IncorrectValue" }, { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", - "line": 162 + "line": 162, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test6].spec", + "searchValue": "", + "expectedValue": "kubernetes_pod[test6].spec.automount_service_account_token should be set", + "actualValue": "kubernetes_pod[test6].spec.automount_service_account_token is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/kubernetes/service_type_is_nodeport/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/service_type_is_nodeport/test/positive_expected_result.json index 2a1207f9ac7..3d51d740b89 100644 --- a/assets/queries/terraform/kubernetes/service_type_is_nodeport/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/service_type_is_nodeport/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Service Type is NodePort", "severity": "LOW", - "line": 15 + "line": 15, + "filename": "positive.tf", + "resourceType": "kubernetes_service", + "resourceName": "terraform-example", + "searchKey": "kubernetes_service[example].spec.type", + "searchValue": "", + "expectedValue": "kubernetes_service[example].spec.type should not be 'NodePort'", + "actualValue": "kubernetes_service[example].spec.type is 'NodePort'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/service_with_external_load_balancer/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/service_with_external_load_balancer/test/positive_expected_result.json index 0dea266ccaf..7ebf5b9f61f 100644 --- a/assets/queries/terraform/kubernetes/service_with_external_load_balancer/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/service_with_external_load_balancer/test/positive_expected_result.json @@ -3,30 +3,65 @@ "queryName": "Service With External Load Balancer", "severity": "MEDIUM", "line": 4, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_service", + "resourceName": "terraform-example1", + "searchKey": "kubernetes_service[example1].metadata.name.annotations", + "searchValue": "", + "expectedValue": "metadata.annotations using an external Load Balancer provider by cloud provider%!(EXTRA string=example1)", + "actualValue": "metadata.annotations is exposing a workload, not using an external Load Balancer provider by cloud provider%!(EXTRA string=example1)", + "issueType": "IncorrectValue" }, { "queryName": "Service With External Load Balancer", "severity": "MEDIUM", "line": 24, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_service", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_service[example2].metadata.name", + "searchValue": "", + "expectedValue": "'metadata.annotations' should be set", + "actualValue": "'metadata.annotations' is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Service With External Load Balancer", "severity": "MEDIUM", "line": 4, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_service", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_service[example2].metadata.name.annotations", + "searchValue": "", + "expectedValue": "metadata.annotations using an external Load Balancer provider by cloud provider%!(EXTRA string=example2)", + "actualValue": "metadata.annotations is exposing a workload, not using an external Load Balancer provider by cloud provider%!(EXTRA string=example2)", + "issueType": "IncorrectValue" }, { "queryName": "Service With External Load Balancer", "severity": "MEDIUM", "line": 25, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_service", + "resourceName": "terraform-example3", + "searchKey": "kubernetes_service[example3].metadata.name.annotations", + "searchValue": "", + "expectedValue": "metadata.annotations using an external Load Balancer provider by cloud provider%!(EXTRA string=example3)", + "actualValue": "metadata.annotations is exposing a workload, not using an external Load Balancer provider by cloud provider%!(EXTRA string=example3)", + "issueType": "IncorrectValue" }, { "queryName": "Service With External Load Balancer", "severity": "MEDIUM", "line": 46, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_service", + "resourceName": "terraform-example4", + "searchKey": "kubernetes_service[example4].metadata.name.annotations", + "searchValue": "", + "expectedValue": "metadata.annotations using an external Load Balancer provider by cloud provider%!(EXTRA string=example4)", + "actualValue": "metadata.annotations is exposing a workload, not using an external Load Balancer provider by cloud provider%!(EXTRA string=example4)", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/test/positive_expected_result.json index 31f178f754c..2a17a1fde39 100644 --- a/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Shared Host IPC Namespace", "severity": "MEDIUM", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.host_ipc", + "searchValue": "", + "expectedValue": "Attribute 'host_ipc' should be undefined or false", + "actualValue": "Attribute 'host_ipc' is true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/shared_host_network_namespace/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/shared_host_network_namespace/test/positive_expected_result.json index 1b6b06fed37..0fe96c66e02 100644 --- a/assets/queries/terraform/kubernetes/shared_host_network_namespace/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/shared_host_network_namespace/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "Shared Host Network Namespace", "severity": "MEDIUM", - "line": 7 + "line": 7, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test", + "searchKey": "kubernetes_pod[test].spec.host_network", + "searchValue": "", + "expectedValue": "kubernetes_pod[test].spec.host_network should be undefined or set to false", + "actualValue": "kubernetes_pod[test].spec.host_network is set to true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/shared_service_account/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/shared_service_account/test/positive_expected_result.json index e78930ea639..31eee55164f 100644 --- a/assets/queries/terraform/kubernetes/shared_service_account/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/shared_service_account/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "Shared Service Account", - "severity": "MEDIUM", - "line": 46 - } + { + "queryName": "Shared Service Account", + "severity": "MEDIUM", + "line": 46, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "with_pod_affinity", + "searchKey": "kubernetes_pod[with_pod_affinity].spec.service_account_name", + "searchValue": "", + "expectedValue": "kubernetes_pod[with_pod_affinity].spec.service_account_name should not be shared with other workloads", + "actualValue": "kubernetes_pod[with_pod_affinity].spec.service_account_name is shared with other workloads", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/kubernetes/statefulset_requests_storage/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/statefulset_requests_storage/test/positive_expected_result.json index 6c3a8961b44..963d6877f85 100644 --- a/assets/queries/terraform/kubernetes/statefulset_requests_storage/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/statefulset_requests_storage/test/positive_expected_result.json @@ -1,7 +1,15 @@ [ - { - "queryName": "StatefulSet Requests Storage", - "severity": "LOW", - "line": 177 - } + { + "queryName": "StatefulSet Requests Storage", + "severity": "LOW", + "line": 177, + "filename": "positive.tf", + "resourceType": "kubernetes_stateful_set", + "resourceName": "prometheus", + "searchKey": "kubernetes_stateful_set[prometheus].spec.volume_claim_template.spec.resources.requests.storage", + "searchValue": "", + "expectedValue": "kubernetes_stateful_set[prometheus].spec.volume_claim_template.spec.resources.requests.storage should not be set", + "actualValue": "kubernetes_stateful_set[prometheus].spec.volume_claim_template.spec.resources.requests.storage is set to 16Gi", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/test/positive_expected_result.json index d73ea9ec410..bec725226cc 100644 --- a/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "StatefulSet Without PodDisruptionBudget", "severity": "LOW", - "line": 23 + "line": 23, + "filename": "positive.tf", + "resourceType": "kubernetes_stateful_set", + "resourceName": "prometheus", + "searchKey": "kubernetes_stateful_set[prometheus].spec.selector.match_labels", + "searchValue": "", + "expectedValue": "kubernetes_stateful_set[prometheus].spec.selector.match_labels is targeted by a PodDisruptionBudget", + "actualValue": "kubernetes_stateful_set[prometheus].spec.selector.match_labels is not targeted by a PodDisruptionBudget", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/kubernetes/statefulset_without_service_name/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/statefulset_without_service_name/test/positive_expected_result.json index 027d6c8df6f..bb462420cdc 100644 --- a/assets/queries/terraform/kubernetes/statefulset_without_service_name/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/statefulset_without_service_name/test/positive_expected_result.json @@ -2,6 +2,14 @@ { "queryName": "StatefulSet Without Service Name", "severity": "LOW", - "line": 49 + "line": 49, + "filename": "positive.tf", + "resourceType": "kubernetes_stateful_set", + "resourceName": "prometheus", + "searchKey": "kubernetes_stateful_set[prometheus].spec.service_name", + "searchValue": "", + "expectedValue": "kubernetes_stateful_set[prometheus].spec.service_name should refer to a Headless Service", + "actualValue": "kubernetes_stateful_set[prometheus].spec.service_name does not refer to a Headless Service", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/tiller_is_deployed/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/tiller_is_deployed/test/positive_expected_result.json index 7c94b93083e..552506df2d2 100644 --- a/assets/queries/terraform/kubernetes/tiller_is_deployed/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/tiller_is_deployed/test/positive_expected_result.json @@ -2,26 +2,66 @@ { "queryName": "Tiller (Helm v2) Is Deployed", "severity": "HIGH", - "line": 3 + "line": 3, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].metadata", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].metadata should not refer any to a Tiller resource", + "actualValue": "kubernetes_pod[positive1].metadata refers to a Tiller resource", + "issueType": "IncorrectValue" }, { "queryName": "Tiller (Helm v2) Is Deployed", "severity": "HIGH", - "line": 8 + "line": 8, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].image shouldn't have any Tiller containers", + "actualValue": "kubernetes_pod[positive1].spec.container[0].image contains a Tiller container", + "issueType": "IncorrectValue" }, { "queryName": "Tiller (Helm v2) Is Deployed", "severity": "HIGH", - "line": 103 + "line": 103, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.image", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.image shouldn't have any Tiller containers", + "actualValue": "kubernetes_pod[positive2].spec.container.image contains a Tiller container", + "issueType": "IncorrectValue" }, { "queryName": "Tiller (Helm v2) Is Deployed", "severity": "HIGH", - "line": 175 + "line": 175, + "filename": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "example", + "searchKey": "kubernetes_deployment[example].spec.template.metadata", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example].spec.template.metadata should not refer to any Tiller resource", + "actualValue": "kubernetes_deployment[example].spec.template.metadata does not refer to any Tiller resource", + "issueType": "IncorrectValue" }, { "queryName": "Tiller (Helm v2) Is Deployed", "severity": "HIGH", - "line": 200 + "line": 200, + "filename": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "example", + "searchKey": "kubernetes_deployment[example].spec.template.spec.container.image", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example].spec.template.spec.container.image shouldn't have any Tiller containers", + "actualValue": "kubernetes_deployment[example].spec.template.spec.container.image contains a Tiller container", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/using_default_namespace/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/using_default_namespace/test/positive_expected_result.json index a87047d0ac8..37d8b606ae0 100644 --- a/assets/queries/terraform/kubernetes/using_default_namespace/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/using_default_namespace/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Using Default Namespace", "severity": "LOW", - "line": 4 + "line": 4, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test", + "searchKey": "kubernetes_pod[test].metadata.namespace", + "searchValue": "", + "expectedValue": "kubernetes_pod[test].metadata.namespace should not be set to 'default'", + "actualValue": "kubernetes_pod[test].metadata.namespace is set to 'default'", + "issueType": "IncorrectValue" }, { "queryName": "Using Default Namespace", "severity": "LOW", - "line": 9 + "line": 9, + "filename": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "test2", + "searchKey": "kubernetes_cron_job[test2].metadata", + "searchValue": "", + "expectedValue": "kubernetes_cron_job[test2].metadata should be set", + "actualValue": "kubernetes_cron_job[test2].metadata is undefined", + "issueType": "MissingAttribute" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json index 99f3567bd50..70b3aefc3c0 100644 --- a/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json @@ -3,84 +3,182 @@ "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 8, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test10", + "searchKey": "kubernetes_pod[test10].spec.container.volume_mount", + "searchValue": "", + "expectedValue": "kubernetes_pod[test10].spec.container.volume_mount.read_only should be set", + "actualValue": "kubernetes_pod[test10].spec.container.volume_mount.read_only is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 66, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test11", + "searchKey": "kubernetes_pod[test11].spec.container.volume_mount", + "searchValue": "", + "expectedValue": "kubernetes_pod[test11].spec.container[0].volume_mount.read_only should be set", + "actualValue": "kubernetes_pod[test11].spec.container[0].volume_mount.read_only is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 100, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test11", + "searchKey": "kubernetes_pod[test11].spec.container.volume_mount", + "searchValue": "", + "expectedValue": "kubernetes_pod[test11].spec.container[1].volume_mount.read_only should be set", + "actualValue": "kubernetes_pod[test11].spec.container[1].volume_mount.read_only is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 158, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test12", + "searchKey": "kubernetes_pod[test12].spec.container.volume_mount", + "searchValue": "", + "expectedValue": "kubernetes_pod[test12].spec.container[0].volume_mount[0].read_only should be set", + "actualValue": "kubernetes_pod[test12].spec.container[0].volume_mount[0].read_only is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 163, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test12", + "searchKey": "kubernetes_pod[test12].spec.container.volume_mount", + "searchValue": "", + "expectedValue": "kubernetes_pod[test12].spec.container[0].volume_mount[1].read_only should be set", + "actualValue": "kubernetes_pod[test12].spec.container[0].volume_mount[1].read_only is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 250, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test13", + "searchKey": "kubernetes_pod[test13].spec.container.volume_mount", + "searchValue": "", + "expectedValue": "kubernetes_pod[test13].spec.container.volume_mount[0].read_only should be set", + "actualValue": "kubernetes_pod[test13].spec.container.volume_mount[0].read_only is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 255, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test13", + "searchKey": "kubernetes_pod[test13].spec.container.volume_mount", + "searchValue": "", + "expectedValue": "kubernetes_pod[test13].spec.container.volume_mount[1].read_only should be set", + "actualValue": "kubernetes_pod[test13].spec.container.volume_mount[1].read_only is undefined", + "issueType": "MissingAttribute" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 11, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test20", + "searchKey": "kubernetes_pod[test20].spec.container.volume_mount.read_only", + "searchValue": "", + "expectedValue": "kubernetes_pod[test20].spec.container.volume_mount.read_only should be set to true", + "actualValue": "kubernetes_pod[test20].spec.container.volume_mount.read_only is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 70, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test21", + "searchKey": "kubernetes_pod[test21].spec.container.volume_mount.read_only", + "searchValue": "", + "expectedValue": "kubernetes_pod[test21].spec.container[0].volume_mount.read_only should be set to true", + "actualValue": "kubernetes_pod[test21].spec.container[0].volume_mount.read_only is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 105, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test21", + "searchKey": "kubernetes_pod[test21].spec.container.volume_mount.read_only", + "searchValue": "", + "expectedValue": "kubernetes_pod[test21].spec.container[1].volume_mount.read_only should be set to true", + "actualValue": "kubernetes_pod[test21].spec.container[1].volume_mount.read_only is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 164, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test22", + "searchKey": "kubernetes_pod[test22].spec.container.volume_mount.read_only", + "searchValue": "", + "expectedValue": "kubernetes_pod[test22].spec.container[0].volume_mount[0].read_only should be set to true", + "actualValue": "kubernetes_pod[test22].spec.container[0].volume_mount[0].read_only is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 170, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test22", + "searchKey": "kubernetes_pod[test22].spec.container.volume_mount.read_only", + "searchValue": "", + "expectedValue": "kubernetes_pod[test22].spec.container[0].volume_mount[1].read_only should be set to true", + "actualValue": "kubernetes_pod[test22].spec.container[0].volume_mount[1].read_only is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 258, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test23", + "searchKey": "kubernetes_pod[test23].spec.container.volume_mount.read_only", + "searchValue": "", + "expectedValue": "kubernetes_pod[test23].spec.container.volume_mount[0].read_only should be set to true", + "actualValue": "kubernetes_pod[test23].spec.container.volume_mount[0].read_only is set to false", + "issueType": "IncorrectValue" }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 264, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test23", + "searchKey": "kubernetes_pod[test23].spec.container.volume_mount.read_only", + "searchValue": "", + "expectedValue": "kubernetes_pod[test23].spec.container.volume_mount[1].read_only should be set to true", + "actualValue": "kubernetes_pod[test23].spec.container.volume_mount[1].read_only is set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive_expected_result.json index 980fe8919ff..38dd32edbbf 100644 --- a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "Workload Host Port Not Specified", "severity": "LOW", "line": 16, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test].spec.container.port", + "searchValue": "", + "expectedValue": "Attribute 'host_port' should be defined and not null", + "actualValue": "Attribute 'host_port' is undefined or null", + "issueType": "IncorrectValue" }, { "queryName": "Workload Host Port Not Specified", "severity": "LOW", "line": 41, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example].spec.template.spec.container.port", + "searchValue": "", + "expectedValue": "Attribute 'host_port' should be defined and not null", + "actualValue": "Attribute 'host_port' is undefined or null", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json index af7be5fa4ba..bff75f2e890 100644 --- a/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json @@ -2,11 +2,27 @@ { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 53 + "line": 53, + "filename": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example1", + "searchKey": "kubernetes_pod[test1].spec.volume.host_path.path", + "searchValue": "", + "expectedValue": "Workload name 'terraform-example1' should not mount a host sensitive OS directory '/var/log' with host_path", + "actualValue": "Workload name 'terraform-example1' is mounting a host sensitive OS directory '/var/log' with host_path", + "issueType": "IncorrectValue" }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 112 + "line": 112, + "filename": "positive.tf", + "resourceType": "kubernetes_persistent_volume", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_persistent_volume[test2].spec.volume.host_path.path", + "searchValue": "", + "expectedValue": "Workload name 'terraform-example2' should not mount a host sensitive OS directory '/var/log' with host_path", + "actualValue": "Workload name 'terraform-example2' is mounting a host sensitive OS directory '/var/log' with host_path", + "issueType": "IncorrectValue" } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json index 3b339c90f90..c9840f830d6 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Nifcloud Computing Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud Computing Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" - } + { + "queryName": "Nifcloud Computing Has Common Private Network", + "severity": "LOW", + "line": 1, + "filename": "positive1.tf", + "resourceType": "nifcloud_instance", + "resourceName": "positive", + "searchKey": "nifcloud_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_instance[positive]' should use a private LAN to isolate the private side network from the shared network", + "actualValue": "'nifcloud_instance[positive]' has common private network", + "issueType": "IncorrectValue" + }, + { + "queryName": "Nifcloud Computing Has Common Private Network", + "severity": "LOW", + "line": 1, + "filename": "positive2.tf", + "resourceType": "nifcloud_instance", + "resourceName": "positive", + "searchKey": "nifcloud_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_instance[positive]' should use a private LAN to isolate the private side network from the shared network", + "actualValue": "'nifcloud_instance[positive]' has common private network", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/test/positive_expected_result.json index c155888d657..4202cb9c10d 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Nifcloud Computing Has Public Ingress Security Group Rule", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud Computing Has Public Ingress Security Group Rule", + "severity": "HIGH", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_security_group_rule", + "resourceName": "positive", + "searchKey": "nifcloud_security_group_rule[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_security_group_rule[positive]' set a more restrictive cidr range", + "actualValue": "'nifcloud_security_group_rule[positive]' allows traffic from /0", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/test/positive_expected_result.json index 9aa880cd9a9..a98b0ebf084 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Nifcloud Computing Undefined Security Group To Instance", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud Computing Undefined Security Group To Instance", + "severity": "HIGH", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_instance", + "resourceName": "positive", + "searchKey": "nifcloud_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_instance[positive]' should include a security_group for security purposes", + "actualValue": "'nifcloud_instance[positive]' does not have a security_group", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/test/positive_expected_result.json index 1b4ae154932..01212fa5cbb 100644 --- a/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Nifcloud Computing Undefined Description To Security Group", - "severity": "INFO", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud Computing Undefined Description To Security Group", + "severity": "INFO", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_security_group", + "resourceName": "positive", + "searchKey": "nifcloud_security_group[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_security_group[positive]' should include a description for auditing purposes", + "actualValue": "'nifcloud_security_group[positive]' does not have a description", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/test/positive_expected_result.json index 9bd94917eb8..6b01d1aaa34 100644 --- a/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Nifcloud Computing Undefined Description To Security Group Rule", - "severity": "INFO", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud Computing Undefined Description To Security Group Rule", + "severity": "INFO", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_security_group_rule", + "resourceName": "positive", + "searchKey": "nifcloud_security_group_rule[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_security_group_rule[positive]' should include a description for auditing purposes", + "actualValue": "'nifcloud_security_group_rule[positive]' does not have a description", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/test/positive_expected_result.json index 27c28135d5e..e88ee9d745a 100644 --- a/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Nifcloud Low RDB Backup Retention Period", - "severity": "LOW", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud Low RDB Backup Retention Period", - "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" - } + { + "queryName": "Nifcloud Low RDB Backup Retention Period", + "severity": "LOW", + "line": 1, + "filename": "positive1.tf", + "resourceType": "nifcloud_db_instance", + "resourceName": "positive", + "searchKey": "nifcloud_db_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_db_instance[positive]' should have backup retention of at least 7 days", + "actualValue": "'nifcloud_db_instance[positive]' doesn't have a backup retention period defined", + "issueType": "MissingAttribute" + }, + { + "queryName": "Nifcloud Low RDB Backup Retention Period", + "severity": "LOW", + "line": 1, + "filename": "positive2.tf", + "resourceType": "nifcloud_db_instance", + "resourceName": "positive", + "searchKey": "nifcloud_db_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_db_instance[positive]' should have backup retention of at least 7 days", + "actualValue": "'nifcloud_db_instance[positive]' has backup retention period of '%!s(int=5)' which is less than minimum of 7 days", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/nifcloud/db_has_public_access/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/db_has_public_access/test/positive_expected_result.json index f1c041a3ef5..438010573d7 100644 --- a/assets/queries/terraform/nifcloud/db_has_public_access/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/db_has_public_access/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Nifcloud RDB Has Public DB Access", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud RDB Has Public DB Access", + "severity": "HIGH", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_db_instance", + "resourceName": "positive", + "searchKey": "nifcloud_db_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_db_instance[positive]' should not use publicly accessible set to true. You should limit all access to the minimum that is required for your application to function.", + "actualValue": "'nifcloud_db_instance[positive]' has publicly accessible set to true.", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/nifcloud/db_instance_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/db_instance_has_common_private/test/positive_expected_result.json index 0c41e6b1eb8..5b1b12fe52b 100644 --- a/assets/queries/terraform/nifcloud/db_instance_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/db_instance_has_common_private/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Nifcloud RDB Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud RDB Has Common Private Network", + "severity": "LOW", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_db_instance", + "resourceName": "positive", + "searchKey": "nifcloud_db_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_db_instance[positive]' should use a private LAN to isolate the private side network from the shared network", + "actualValue": "'nifcloud_db_instance[positive]' has common private network", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/nifcloud/db_security_group_description_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/db_security_group_description_undefined/test/positive_expected_result.json index 547983c13bf..d79fb8925c5 100644 --- a/assets/queries/terraform/nifcloud/db_security_group_description_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/db_security_group_description_undefined/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Nifcloud RDB Undefined Description To DB Security Group", - "severity": "INFO", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud RDB Undefined Description To DB Security Group", + "severity": "INFO", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_db_security_group", + "resourceName": "positive", + "searchKey": "nifcloud_db_security_group[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_db_security_group[positive]' should include a description for auditing purposes.", + "actualValue": "'nifcloud_db_security_group[positive]' does not have a description.", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/test/positive_expected_result.json index 425cc5d611a..10767b01cda 100644 --- a/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Nifcloud RDB Has Public DB Ingress Security Group Rule", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud RDB Has Public DB Ingress Security Group Rule", + "severity": "HIGH", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_db_security_group", + "resourceName": "positive", + "searchKey": "nifcloud_db_security_group[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_db_security_group[positive]' set a more restrictive cidr range", + "actualValue": "'nifcloud_db_security_group[positive]' allows traffic from /0", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/nifcloud/dns_has_verified_record/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/dns_has_verified_record/test/positive_expected_result.json index b6523967215..18f58b01e5c 100644 --- a/assets/queries/terraform/nifcloud/dns_has_verified_record/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/dns_has_verified_record/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Nifcloud DNS Has Verified Record", - "severity": "LOW", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud DNS Has Verified Record", + "severity": "LOW", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_dns_record", + "resourceName": "test.example.test", + "searchKey": "nifcloud_dns_record[positive]", + "searchValue": "", + "expectedValue": "Verified records should be removed from 'nifcloud_dns_record[positive]'.", + "actualValue": "'nifcloud_dns_record[positive]' has risk of DNS records being used by others.", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/nifcloud/elb_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/elb_has_common_private/test/positive_expected_result.json index 93ef9fa8953..83af1e5229c 100644 --- a/assets/queries/terraform/nifcloud/elb_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/elb_has_common_private/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Nifcloud ELB Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud ELB Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" - } + { + "queryName": "Nifcloud ELB Has Common Private Network", + "severity": "LOW", + "line": 1, + "filename": "positive1.tf", + "resourceType": "nifcloud_elb", + "resourceName": "positive", + "searchKey": "nifcloud_elb[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_elb[positive]' should use a private LAN to isolate the private side network from the shared network", + "actualValue": "'nifcloud_elb[positive]' has common private network", + "issueType": "IncorrectValue" + }, + { + "queryName": "Nifcloud ELB Has Common Private Network", + "severity": "LOW", + "line": 1, + "filename": "positive2.tf", + "resourceType": "nifcloud_elb", + "resourceName": "positive", + "searchKey": "nifcloud_elb[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_elb[positive]' should use a private LAN to isolate the private side network from the shared network", + "actualValue": "'nifcloud_elb[positive]' has common private network", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/nifcloud/elb_listener_use_http/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/elb_listener_use_http/test/positive_expected_result.json index 1c910a5b611..4540ebf4176 100644 --- a/assets/queries/terraform/nifcloud/elb_listener_use_http/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/elb_listener_use_http/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Nifcloud ELB Listener Using HTTP Protocol", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud ELB Listener Using HTTP Protocol", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" - } + { + "queryName": "Nifcloud ELB Listener Using HTTP Protocol", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.tf", + "resourceType": "nifcloud_elb_listener", + "resourceName": "positive", + "searchKey": "nifcloud_elb_listener[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_elb_listener[positive]' should switch to HTTPS to benefit from TLS security features.", + "actualValue": "'nifcloud_elb_listener[positive]' using HTTP protocol.", + "issueType": "IncorrectValue" + }, + { + "queryName": "Nifcloud ELB Listener Using HTTP Protocol", + "severity": "MEDIUM", + "line": 1, + "filename": "positive2.tf", + "resourceType": "nifcloud_elb_listener", + "resourceName": "positive", + "searchKey": "nifcloud_elb_listener[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_elb_listener[positive]' should switch to HTTPS to benefit from TLS security features.", + "actualValue": "'nifcloud_elb_listener[positive]' using HTTP protocol.", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/nifcloud/elb_use_http/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/elb_use_http/test/positive_expected_result.json index 8234db197e2..9def187ec56 100644 --- a/assets/queries/terraform/nifcloud/elb_use_http/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/elb_use_http/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Nifcloud ELB Using HTTP Protocol", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud ELB Using HTTP Protocol", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" - } + { + "queryName": "Nifcloud ELB Using HTTP Protocol", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.tf", + "resourceType": "nifcloud_elb", + "resourceName": "positive", + "searchKey": "nifcloud_elb[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_elb[positive]' should switch to HTTPS to benefit from TLS security features.", + "actualValue": "'nifcloud_elb[positive]' using HTTP protocol.", + "issueType": "IncorrectValue" + }, + { + "queryName": "Nifcloud ELB Using HTTP Protocol", + "severity": "MEDIUM", + "line": 1, + "filename": "positive2.tf", + "resourceType": "nifcloud_elb", + "resourceName": "positive", + "searchKey": "nifcloud_elb[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_elb[positive]' should switch to HTTPS to benefit from TLS security features", + "actualValue": "'nifcloud_elb[positive]' use HTTP protocol", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/test/positive_expected_result.json index 2546d14e399..7c51487080c 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Nifcloud LB Listener Using HTTP Port", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud LB Listener Using HTTP Port", + "severity": "MEDIUM", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_load_balancer_listener", + "resourceName": "positive", + "searchKey": "nifcloud_load_balancer_listener[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_load_balancer_listener[positive]' should switch to HTTPS to benefit from TLS security features.", + "actualValue": "'nifcloud_load_balancer_listener[positive]' using HTTP port.", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/nifcloud/load_balancer_use_http/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/load_balancer_use_http/test/positive_expected_result.json index 9e59261f27a..8a7fea43529 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_use_http/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/load_balancer_use_http/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Nifcloud LB Using HTTP Port", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud LB Using HTTP Port", + "severity": "MEDIUM", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_load_balancer", + "resourceName": "positive", + "searchKey": "nifcloud_load_balancer[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_load_balancer[positive]' should switch to HTTPS to benefit from TLS security features.", + "actualValue": "'nifcloud_load_balancer[positive]' using HTTP port.", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/test/positive_expected_result.json index 7cc8afe871c..6e6560c5315 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Nifcloud LB Using Insecure TLS Policy ID", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud LB Using Insecure TLS Policy ID", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" - } + { + "queryName": "Nifcloud LB Using Insecure TLS Policy ID", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.tf", + "resourceType": "nifcloud_load_balancer", + "resourceName": "positive", + "searchKey": "nifcloud_load_balancer[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_load_balancer[positive]' should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.", + "actualValue": "'nifcloud_load_balancer[positive]' using outdated SSL policy.", + "issueType": "MissingAttribute" + }, + { + "queryName": "Nifcloud LB Using Insecure TLS Policy ID", + "severity": "MEDIUM", + "line": 1, + "filename": "positive2.tf", + "resourceType": "nifcloud_load_balancer", + "resourceName": "positive", + "searchKey": "nifcloud_load_balancer[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_load_balancer[positive]' should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.", + "actualValue": "'nifcloud_load_balancer[positive]' using outdated SSL policy.", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/test/positive_expected_result.json index 7bb192e65b9..241c6c53bb9 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Nifcloud LB Using Insecure TLS Policy Name", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud LB Using Insecure TLS Policy Name", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" - } + { + "queryName": "Nifcloud LB Using Insecure TLS Policy Name", + "severity": "MEDIUM", + "line": 1, + "filename": "positive1.tf", + "resourceType": "nifcloud_load_balancer", + "resourceName": "positive", + "searchKey": "nifcloud_load_balancer[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_load_balancer[positive]' should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.", + "actualValue": "'nifcloud_load_balancer[positive]' using outdated SSL policy.", + "issueType": "MissingAttribute" + }, + { + "queryName": "Nifcloud LB Using Insecure TLS Policy Name", + "severity": "MEDIUM", + "line": 1, + "filename": "positive2.tf", + "resourceType": "nifcloud_load_balancer", + "resourceName": "positive", + "searchKey": "nifcloud_load_balancer[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_load_balancer[positive]' should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.", + "actualValue": "'nifcloud_load_balancer[positive]' using outdated SSL policy.", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/nifcloud/nas_instance_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/nas_instance_has_common_private/test/positive_expected_result.json index 25d43939456..6f72ef6ed86 100644 --- a/assets/queries/terraform/nifcloud/nas_instance_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/nas_instance_has_common_private/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Nifcloud NAS Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud NAS Has Common Private Network", + "severity": "LOW", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_nas_instance", + "resourceName": "positive", + "searchKey": "nifcloud_nas_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_nas_instance[positive]' should use a private LAN to isolate the private side network from the shared network", + "actualValue": "'nifcloud_nas_instance[positive]' has common private network", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/test/positive_expected_result.json index 7a29f969aee..0ceff88141b 100644 --- a/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Nifcloud NAS Undefined Description To NAS Security Group", - "severity": "INFO", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud NAS Undefined Description To NAS Security Group", + "severity": "INFO", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_nas_security_group", + "resourceName": "positive", + "searchKey": "nifcloud_nas_security_group[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_nas_security_group[positive]' should include a description for auditing purposes", + "actualValue": "'nifcloud_nas_security_group[positive]' does not have a description", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/test/positive_expected_result.json index 3aa266359bb..9f0e56150c9 100644 --- a/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Nifcloud NAS Has Public Ingress NAS Security Group Rule", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud NAS Has Public Ingress NAS Security Group Rule", + "severity": "HIGH", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_nas_security_group", + "resourceName": "positive", + "searchKey": "nifcloud_nas_security_group[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_nas_security_group[positive]' set a more restrictive cidr range", + "actualValue": "'nifcloud_nas_security_group[positive]' allows traffic from /0", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/nifcloud/router_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/router_has_common_private/test/positive_expected_result.json index 4ee87233b90..65bcc8ec9fc 100644 --- a/assets/queries/terraform/nifcloud/router_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/router_has_common_private/test/positive_expected_result.json @@ -1,14 +1,28 @@ [ - { - "queryName": "Nifcloud Router Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud Router Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" - } + { + "queryName": "Nifcloud Router Has Common Private Network", + "severity": "LOW", + "line": 1, + "filename": "positive1.tf", + "resourceType": "nifcloud_router", + "resourceName": "positive", + "searchKey": "nifcloud_router[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_router[positive]' should use a private LAN to isolate the private side network from the shared network.", + "actualValue": "'nifcloud_router[positive]' has common private network.", + "issueType": "IncorrectValue" + }, + { + "queryName": "Nifcloud Router Has Common Private Network", + "severity": "LOW", + "line": 1, + "filename": "positive2.tf", + "resourceType": "nifcloud_router", + "resourceName": "positive", + "searchKey": "nifcloud_router[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_router[positive]' should use a private LAN to isolate the private side network from the shared network.", + "actualValue": "'nifcloud_router[positive]' has common private network.", + "issueType": "IncorrectValue" + } ] diff --git a/assets/queries/terraform/nifcloud/router_security_group_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/router_security_group_undefined/test/positive_expected_result.json index 56e9ea411de..2d4cd2e6d75 100644 --- a/assets/queries/terraform/nifcloud/router_security_group_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/router_security_group_undefined/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Nifcloud Router Undefined Security Group", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud Router Undefined Security Group", + "severity": "HIGH", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_router", + "resourceName": "positive", + "searchKey": "nifcloud_router[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_router[positive]' should include a security_group for security purposes", + "actualValue": "'nifcloud_router[positive]' does not have a security_group", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/test/positive_expected_result.json index 78ad7248b59..88e4905373f 100644 --- a/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/test/positive_expected_result.json @@ -1,8 +1,15 @@ [ - { - "queryName": "Nifcloud VPN Gateway Undefined Security Group", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud VPN Gateway Undefined Security Group", + "severity": "HIGH", + "line": 1, + "filename": "positive.tf", + "resourceType": "nifcloud_vpn_gateway", + "resourceName": "positive", + "searchKey": "nifcloud_vpn_gateway[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_vpn_gateway[positive]' should include a security_group for security purposes.", + "actualValue": "'nifcloud_vpn_gateway[positive]' does not have a security_group defined.", + "issueType": "MissingAttribute" + } ] diff --git a/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/test/positive_expected_result.json index b8625c07b33..efd8c7193d2 100644 --- a/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "CDB Instance Internet Service Enabled", "severity": "HIGH", "line": 24, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_mysql_instance", + "resourceName": "example", + "searchKey": "tencentcloud_mysql_instance[example].internet_service", + "searchValue": "", + "expectedValue": "[example] has 'internet_service' set to 0 or undefined", + "actualValue": "[example] has 'internet_service' set to 1", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/test/positive_expected_result.json index 3cc7d62ea51..1dd56045d6e 100644 --- a/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "CDB Instance Internet Using Default Intranet Port", "severity": "LOW", "line": 34, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_mysql_instance", + "resourceName": "example", + "searchKey": "tencentcloud_mysql_instance[example].intranet_port", + "searchValue": "", + "expectedValue": "[example] has 'intranet_port' set to non 3306", + "actualValue": "[example] has 'intranet_port' set to 3306", + "issueType": "IncorrectValue" }, { "queryName": "CDB Instance Internet Using Default Intranet Port", "severity": "LOW", "line": 23, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "tencentcloud_mysql_instance", + "resourceName": "example", + "searchKey": "tencentcloud_mysql_instance[example]", + "searchValue": "", + "expectedValue": "[example] 'intranet_port' should be set and the value should not be 3306", + "actualValue": "[example] does not set 'intranet_port'", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/test/positive_expected_result.json index 7f87513f7f5..4788f18ea6b 100644 --- a/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "CDB Instance Without Backup Policy", "severity": "MEDIUM", "line": 23, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_mysql_instance", + "resourceName": "none_backup_policy", + "searchKey": "tencentcloud_mysql_instance[none_backup_policy]", + "searchValue": "", + "expectedValue": "tencentcloud_mysql_instance[none_backup_policy] should have 'tencentcloud_mysql_backup_policy'", + "actualValue": "tencentcloud_mysql_instance[none_backup_policy] does not have 'tencentcloud_mysql_backup_policy'", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/test/positive_expected_result.json index 2ee3ae8ebaf..ce271a49f8d 100644 --- a/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "CLB Instance Log Setting Disabled", "severity": "MEDIUM", "line": 19, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_clb_instance", + "resourceName": "internal_clb", + "searchKey": "tencentcloud_clb_instance[internal_clb]", + "searchValue": "", + "expectedValue": "tencentcloud_clb_instance[internal_clb] should set 'log_set_id' and 'log_topic_id'", + "actualValue": "tencentcloud_clb_instance[internal_clb] not set 'log_set_id' and 'log_topic_id'", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/test/positive_expected_result.json index 6cce5eb28da..c9f5359da85 100644 --- a/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/test/positive_expected_result.json @@ -3,18 +3,39 @@ "queryName": "CLB Listener Using Insecure Protocols", "severity": "HIGH", "line": 4, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_clb_listener", + "resourceName": "listener", + "searchKey": "tencentcloud_clb_listener[listener].protocol", + "searchValue": "", + "expectedValue": "tencentcloud_clb_listener[listener].protocol[HTTP] should not be an insecure protocol", + "actualValue": "tencentcloud_clb_listener[listener].protocol[HTTP] is an insecure protocol", + "issueType": "IncorrectValue" }, { "queryName": "CLB Listener Using Insecure Protocols", "severity": "HIGH", "line": 4, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "tencentcloud_clb_listener", + "resourceName": "listener", + "searchKey": "tencentcloud_clb_listener[listener].protocol", + "searchValue": "", + "expectedValue": "tencentcloud_clb_listener[listener].protocol[TCP] should not be an insecure protocol", + "actualValue": "tencentcloud_clb_listener[listener].protocol[TCP] is an insecure protocol", + "issueType": "IncorrectValue" }, { "queryName": "CLB Listener Using Insecure Protocols", "severity": "HIGH", "line": 4, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "tencentcloud_clb_listener", + "resourceName": "listener", + "searchKey": "tencentcloud_clb_listener[listener].protocol", + "searchValue": "", + "expectedValue": "tencentcloud_clb_listener[listener].protocol[UDP] should not be an insecure protocol", + "actualValue": "tencentcloud_clb_listener[listener].protocol[UDP] is an insecure protocol", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/test/positive_expected_result.json index b48c8f1787d..26a0fe823d1 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "CVM Instance Disable Monitor Service", "severity": "INFO", "line": 13, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].disable_monitor_service", + "searchValue": "", + "expectedValue": "[cvm_postpaid] 'disable_monitor_service' should be set to false", + "actualValue": "[cvm_postpaid] 'disable_monitor_service' is true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/test/positive_expected_result.json index a37d3770f89..0b123241734 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "CVM Instance Has Public IP", "severity": "HIGH", "line": 13, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].allocate_public_ip", + "searchValue": "", + "expectedValue": "[cvm_postpaid] 'allocate_public_ip' should be set to false", + "actualValue": "[cvm_postpaid] 'allocate_public_ip' is true", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/test/positive_expected_result.json index 86122a808e3..68f6b0fde8a 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "CVM Instance Using Default Security Group", "severity": "LOW", "line": 18, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].orderly_security_groups", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid].orderly_security_groups should not contain 'default'", + "actualValue": "tencentcloud_instance[cvm_postpaid].orderly_security_groups contains 'default'", + "issueType": "IncorrectValue" }, { "queryName": "CVM Instance Using Default Security Group", "severity": "LOW", "line": 18, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].security_groups", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid].security_groups should not contain 'default'", + "actualValue": "tencentcloud_instance[cvm_postpaid].security_groups contains 'default'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/test/positive_expected_result.json index 7f70cb7a4d3..02050382a42 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "CVM Instance Using Default VPC", "severity": "LOW", "line": 22, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].vpc_id", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid].vpc_id should not contain 'default'", + "actualValue": "tencentcloud_instance[cvm_postpaid].vpc_id contains 'default'", + "issueType": "IncorrectValue" }, { "queryName": "CVM Instance Using Default VPC", "severity": "LOW", "line": 23, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].subnet_id", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid].subnet_id should not be associated with a default Subnet", + "actualValue": "tencentcloud_instance[cvm_postpaid].subnet_id is associated with a default Subnet", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive_expected_result.json index b65024bc18b..5f2ed30eed7 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "CVM Instance Using User Data", "severity": "LOW", "line": 41, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].user_data", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid] should be using 'cam_role_name' to assign a role with permissions", + "actualValue": "tencentcloud_instance[cvm_postpaid].user_data is being used to configure API secret keys", + "issueType": "IncorrectValue" }, { "queryName": "CVM Instance Using User Data", "severity": "LOW", "line": 41, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].user_data", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid] should be using 'cam_role_name' to assign a role with permissions", + "actualValue": "tencentcloud_instance[cvm_postpaid].user_data is being used to configure API secret keys", + "issueType": "IncorrectValue" }, { "queryName": "CVM Instance Using User Data", "severity": "LOW", "line": 41, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].user_data", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid] should be using 'cam_role_name' to assign a role with permissions", + "actualValue": "tencentcloud_instance[cvm_postpaid].user_data is being used to configure API secret keys", + "issueType": "IncorrectValue" }, { "queryName": "CVM Instance Using User Data", "severity": "LOW", "line": 41, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].user_data", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid] should be using 'cam_role_name' to assign a role with permissions", + "actualValue": "tencentcloud_instance[cvm_postpaid].user_data is being used to configure API secret keys", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/tencentcloud/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/disk_encryption_disabled/test/positive_expected_result.json index 7ff48719112..f7da0200eeb 100644 --- a/assets/queries/terraform/tencentcloud/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/disk_encryption_disabled/test/positive_expected_result.json @@ -2,13 +2,27 @@ { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.tf" + "line": 1, + "filename": "positive1.tf", + "resourceType": "tencentcloud_cbs_storage", + "resourceName": "encrytion_positive1", + "searchKey": "tencentcloud_cbs_storage[encrytion_positive1]", + "searchValue": "", + "expectedValue": "[encrytion_positive1] has encryption enabled", + "actualValue": "[encrytion_positive1] does not have encryption enabled", + "issueType": "MissingAttribute" }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" + "line": 6, + "filename": "positive2.tf", + "resourceType": "tencentcloud_cbs_storage", + "resourceName": "encrytion_positive2", + "searchKey": "tencentcloud_cbs_storage[encrytion_positive2].encrypt", + "searchValue": "", + "expectedValue": "[encrytion_positive2] has encryption set to true", + "actualValue": "[encrytion_positive2] has encryption set to false", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/test/positive_expected_result.json index d75322bb8b9..aa25aad7420 100644 --- a/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/test/positive_expected_result.json @@ -3,24 +3,52 @@ "queryName": "Security Group Rule Set Accepts All Traffic", "severity": "HIGH", "line": 9, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_security_group_rule_set", + "resourceName": "base", + "searchKey": "tencentcloud_security_group_rule_set[base].ingress", + "searchValue": "", + "expectedValue": "tencentcloud_security_group_rule_set[base] ingress should not be set to accept all traffic", + "actualValue": "tencentcloud_security_group_rule_set[base] ingress is set to accept all traffic", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Rule Set Accepts All Traffic", "severity": "HIGH", "line": 9, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "tencentcloud_security_group_rule_set", + "resourceName": "base", + "searchKey": "tencentcloud_security_group_rule_set[base].ingress", + "searchValue": "", + "expectedValue": "tencentcloud_security_group_rule_set[base] ingress should not be set to accept all traffic", + "actualValue": "tencentcloud_security_group_rule_set[base] ingress accept all traffic", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Rule Set Accepts All Traffic", "severity": "HIGH", "line": 9, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "tencentcloud_security_group_rule_set", + "resourceName": "base", + "searchKey": "tencentcloud_security_group_rule_set[base].ingress", + "searchValue": "", + "expectedValue": "tencentcloud_security_group_rule_set[base] ingress should not set accept all traffic", + "actualValue": "tencentcloud_security_group_rule_set[base] ingress accept all traffic", + "issueType": "IncorrectValue" }, { "queryName": "Security Group Rule Set Accepts All Traffic", "severity": "HIGH", "line": 9, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "tencentcloud_security_group_rule_set", + "resourceName": "base", + "searchKey": "tencentcloud_security_group_rule_set[base].ingress", + "searchValue": "", + "expectedValue": "tencentcloud_security_group_rule_set[base] ingress should not be set to accept all traffic", + "actualValue": "tencentcloud_security_group_rule_set[base] ingress is set to accept all traffic", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive_expected_result.json index 836133453de..7c5d9097d25 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "TKE Cluster Encryption Protection Disabled", "severity": "HIGH", "line": 6, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "none_encryption_protection", + "searchKey": "tencentcloud_kubernetes_cluster[none_encryption_protection]", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[none_encryption_protection] should have 'tencentcloud_kubernetes_encryption_protection' enabled", + "actualValue": "tencentcloud_kubernetes_cluster[none_encryption_protection] does not have 'tencentcloud_kubernetes_encryption_protection' enabled or is undefined", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json index d1b2cf1e2a6..d8c80529b33 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json @@ -3,72 +3,156 @@ "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 63, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned should be equal to 'false'", + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned is equal to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 84, - "fileName": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned should equal 'false'", + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned is equal 'true'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 62, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out should equal '0' or undefined", + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out is not equal '0'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 83, - "fileName": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out should equal '0' or undefined", + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out is defined and not equal to '0'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 63, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned should be equal to 'false'", + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned is equal 'true'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 84, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned should be equal to 'false'", + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned is equal 'true'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 105, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned should equal 'false'", + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned is equal 'true'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 126, - "fileName": "positive3.tf" + "filename": "positive3.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned should equal 'false'", + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned is equal 'true'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 62, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out should equal '0' or null", + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out is not equal '0'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 83, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out should equal '0' or null", + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out is not equal '0'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 104, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out should be equal to '0' or null", + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out is defined and not equal to '0'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 124, - "fileName": "positive4.tf" + "filename": "positive4.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out should be equal to '0' or null", + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out is defined and not equal to '0'", + "issueType": "IncorrectValue" } ] diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive_expected_result.json index 70d98bf6e03..20f48e54099 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive_expected_result.json @@ -3,12 +3,26 @@ "queryName": "TKE Cluster Log Agent Is Not Enabled", "severity": "LOW", "line": 39, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "managed_cluster", + "searchKey": "tencentcloud_kubernetes_cluster[managed_cluster].log_agent.enabled", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[managed_cluster].log_agent.enabled should be set to 'true'", + "actualValue": "tencentcloud_kubernetes_cluster[managed_cluster].log_agent.enabled is not set to 'true'", + "issueType": "IncorrectValue" }, { "queryName": "TKE Cluster Log Agent Is Not Enabled", "severity": "LOW", "line": 6, - "filename": "positive2.tf" + "filename": "positive2.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "managed_cluster", + "searchKey": "tencentcloud_kubernetes_cluster[managed_cluster]", + "searchValue": "", + "expectedValue": "'log_agent' should be defined and not null", + "actualValue": "'log_agent' is undefined or null", + "issueType": "MissingAttribute" } ] diff --git a/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/test/positive_expected_result.json index db64c91d062..8aa76c84a0b 100644 --- a/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/test/positive_expected_result.json @@ -3,6 +3,13 @@ "queryName": "VPC Flow Logs Disabled", "severity": "LOW", "line": 97, - "filename": "positive1.tf" + "filename": "positive1.tf", + "resourceType": "tencentcloud_vpc_flow_log_config", + "resourceName": "config", + "searchKey": "tencentcloud_vpc_flow_log_config[config].enable", + "searchValue": "", + "expectedValue": "[config] should have enable set to true", + "actualValue": "[config] has enable set to false", + "issueType": "IncorrectValue" } ] diff --git a/docker/Dockerfile.alpine b/docker/Dockerfile.alpine index 74659e3d16a..47caa36a8ea 100644 --- a/docker/Dockerfile.alpine +++ b/docker/Dockerfile.alpine @@ -1,4 +1,4 @@ -FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.25.7-alpine AS build_env +FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.25.8-alpine AS build_env # Install build dependencies RUN apk add --no-cache git diff --git a/docker/Dockerfile.debian b/docker/Dockerfile.debian index db9f7bd30c8..f74b5517dd8 100644 --- a/docker/Dockerfile.debian +++ b/docker/Dockerfile.debian @@ -3,7 +3,7 @@ # it does not define an ENTRYPOINT as this is a requirement described here: # https://docs.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops#linux-based-containers # -FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.25.7-bookworm as build_env +FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.25.8-bookworm as build_env # Create a group and user RUN groupadd checkmarx && useradd -g checkmarx -M -s /bin/bash checkmarx USER checkmarx diff --git a/docker/Dockerfile.ubi8 b/docker/Dockerfile.ubi8 index e9caa31353f..85a39dc998e 100644 --- a/docker/Dockerfile.ubi8 +++ b/docker/Dockerfile.ubi8 @@ -4,10 +4,10 @@ WORKDIR /build ENV PATH=$PATH:/usr/local/go/bin -ADD https://golang.org/dl/go1.25.7.linux-amd64.tar.gz . +ADD https://golang.org/dl/go1.25.8.linux-amd64.tar.gz . RUN yum install git gcc -y \ - && rm -rf /usr/local/go && tar -C /usr/local -xzf go1.25.7.linux-amd64.tar.gz \ - && rm -f go1.25.7.linux-amd64.tar.gz + && rm -rf /usr/local/go && tar -C /usr/local -xzf go1.25.8.linux-amd64.tar.gz \ + && rm -f go1.25.8.linux-amd64.tar.gz ENV GOPRIVATE=github.com/Checkmarx/* ARG VERSION="development" diff --git a/test/queries_test.go b/test/queries_test.go index 88e593d30cd..34125156c3f 100644 --- a/test/queries_test.go +++ b/test/queries_test.go @@ -281,16 +281,37 @@ func testQuery(tb testing.TB, entry queryEntry, filesPath []string, expectedVuln } func vulnerabilityCompare(vulnerabilitySlice []model.Vulnerability, i, j int) bool { - if vulnerabilitySlice[i].FileName != "" { - compareFile := strings.Compare(filepath.Base(vulnerabilitySlice[i].FileName), filepath.Base(vulnerabilitySlice[j].FileName)) - if compareFile == 0 { - return vulnerabilitySlice[i].Line < vulnerabilitySlice[j].Line - } else if compareFile < 0 { - return true + a := vulnerabilitySlice[i] + b := vulnerabilitySlice[j] + + if a.FileName != "" { + compareFile := strings.Compare(filepath.Base(a.FileName), filepath.Base(b.FileName)) + if compareFile != 0 { + return compareFile < 0 } - return false } - return vulnerabilitySlice[i].Line < vulnerabilitySlice[j].Line + if a.Line != b.Line { + return a.Line < b.Line + } + if cmp := strings.Compare(a.SearchKey, b.SearchKey); cmp != 0 { + return cmp < 0 + } + if cmp := strings.Compare(a.SearchValue, b.SearchValue); cmp != 0 { + return cmp < 0 + } + if cmp := strings.Compare(a.ResourceType, b.ResourceType); cmp != 0 { + return cmp < 0 + } + if cmp := strings.Compare(a.ResourceName, b.ResourceName); cmp != 0 { + return cmp < 0 + } + if cmp := strings.Compare(a.QueryName, b.QueryName); cmp != 0 { + return cmp < 0 + } + if cmp := strings.Compare(a.KeyExpectedValue, b.KeyExpectedValue); cmp != 0 { + return cmp < 0 + } + return strings.Compare(a.KeyActualValue, b.KeyActualValue) < 0 } func validateQueryResultFields(tb testing.TB, vulnerabilities []model.Vulnerability) { @@ -375,11 +396,18 @@ func requireEqualVulnerabilities(tb testing.TB, expected, actual []model.Vulnera require.Equal(tb, expectedItem.Line, actualItem.Line, "Incorrect detected line for query %s \n%v\n---\n%v", dir, filterFileNameAndLine(expected), filterFileNameAndLine(actual)) require.Equal(tb, expectedItem.Severity, actualItem.Severity, "Invalid severity for query %s", dir) - require.Equal(tb, expectedItem.QueryName, actualItem.QueryName, "Invalid query name for query %s :: %s", dir, actualItem.FileName) + require.Equal(tb, expectedItem.QueryName, actualItem.QueryName, "Invalid query name for query %s :: Actual: %s | Expected: %s", dir, actualItem.FileName) if expectedItem.Value != nil { require.NotNil(tb, actualItem.Value) require.Equal(tb, *expectedItem.Value, *actualItem.Value) } + require.Equal(tb, expectedItem.ResourceType, actualItem.ResourceType, "Invalid resource type for query %s\n Expected: %s\n Actual: %s", dir, expectedItem.ResourceType, actualItem.ResourceType) + require.Equal(tb, expectedItem.ResourceName, actualItem.ResourceName, "Invalid resource name for query %s\n Expected: %s\n Actual: %s", dir, expectedItem.ResourceName, actualItem.ResourceName) + require.Equal(tb, expectedItem.SearchKey, actualItem.SearchKey, "Invalid searchKey for query %s\n Expected: %s\n Actual: %s", dir, expectedItem.SearchKey, actualItem.SearchKey) + require.Equal(tb, expectedItem.SearchValue, actualItem.SearchValue, "Invalid searchValue for query %s\n Expected: %s\n Actual: %s", dir, expectedItem.SearchValue, actualItem.SearchValue) + require.Equal(tb, expectedItem.KeyExpectedValue, actualItem.KeyExpectedValue, "Invalid expected value for query: %s\n Expected: %s\n Actual: %s", dir, expectedItem.KeyExpectedValue, actualItem.KeyExpectedValue) + require.Equal(tb, expectedItem.KeyActualValue, actualItem.KeyActualValue, "Invalid actual value for query: %s\n Expected: %s\n Actual: %s", dir, expectedItem.KeyActualValue, actualItem.KeyActualValue) + require.Equal(tb, expectedItem.IssueType, actualItem.IssueType, "Invalid issue type for query %s\n Expected[%s]%s: %s\n Actual[%s]: %s\n Ex\n", dir, expectedItem.FileName, expectedItem.IssueType, actualItem.FileName, actualItem.IssueType) } }