Merge branch 'master' into experimental-features

Dockerfile

@@ -44,19 +44,19 @@ Run apk update --no-cache \
     git~=2.40
 
 # Install Terraform and Terraform plugins
-RUN wget https://releases.hashicorp.com/terraform/1.3.9/terraform_1.3.9_linux_amd64.zip \
-    && unzip terraform_1.3.9_linux_amd64.zip && rm terraform_1.3.9_linux_amd64.zip \
+RUN wget https://releases.hashicorp.com/terraform/1.5.6/terraform_1.5.6_linux_amd64.zip \
+    && unzip terraform_1.5.6_linux_amd64.zip && rm terraform_1.5.6_linux_amd64.zip \
     && mv terraform /usr/bin/terraform \
-    && wget https://releases.hashicorp.com/terraform-provider-azurerm/3.18.0/terraform-provider-azurerm_3.18.0_linux_amd64.zip \
+    && wget https://releases.hashicorp.com/terraform-provider-azurerm/3.71.0/terraform-provider-azurerm_3.71.0_linux_amd64.zip \
     && wget https://releases.hashicorp.com/terraform-provider-aws/3.72.0/terraform-provider-aws_3.72.0_linux_amd64.zip \
     && wget https://releases.hashicorp.com/terraform-provider-google/4.32.0/terraform-provider-google_4.32.0_linux_amd64.zip \
-    && unzip terraform-provider-azurerm_3.18.0_linux_amd64.zip && rm terraform-provider-azurerm_3.18.0_linux_amd64.zip\
+    && unzip terraform-provider-azurerm_3.71.0_linux_amd64.zip && rm terraform-provider-azurerm_3.71.0_linux_amd64.zip\
     && unzip terraform-provider-google_4.32.0_linux_amd64.zip && rm terraform-provider-google_4.32.0_linux_amd64.zip \
     && unzip terraform-provider-aws_3.72.0_linux_amd64.zip && rm terraform-provider-aws_3.72.0_linux_amd64.zip \
-    && mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d/plugins/linux_amd64 && mv terraform-provider-aws_v3.72.0_x5 terraform-provider-google_v4.32.0_x5 terraform-provider-azurerm_v3.18.0_x5 ~/.terraform.d/plugins/linux_amd64
+    && mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d/plugins/linux_amd64 && mv terraform-provider-aws_v3.72.0_x5 terraform-provider-google_v4.32.0_x5 terraform-provider-azurerm_v3.71.0_x5 ~/.terraform.d/plugins/linux_amd64
 
 # Install Terraformer
-RUN wget https://github.com/GoogleCloudPlatform/terraformer/releases/download/0.8.22/terraformer-all-linux-amd64 \
+RUN wget https://github.com/GoogleCloudPlatform/terraformer/releases/download/0.8.24/terraformer-all-linux-amd64 \
     && chmod +x terraformer-all-linux-amd64 \
     && mv terraformer-all-linux-amd64 /usr/bin/terraformer
 

assets/queries/ansible/general/insecure_relative_path_resolution/metadata.json

@@ -0,0 +1,11 @@
+{
+	"id": "8d22ae91-6ac1-459f-95be-d37bd373f244",
+	"queryName": "Insecure Relative Path Resolution",
+	"severity": "LOW",
+	"category": "Best Practices",
+	"descriptionText": "Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change.",
+	"descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/no-relative-paths/",
+	"platform": "Ansible",
+	"descriptionID": "84ea91c8",
+	"cloudProvider": "common"
+}

assets/queries/ansible/general/insecure_relative_path_resolution/query.rego

@@ -0,0 +1,33 @@
+package Cx
+
+import data.generic.ansible as ansLib
+
+module_to_folder = {
+    "copy": "files",
+    "win_copy": "files",
+    "template": "templates",
+    "win_template": "win_templates",
+	"ansible.builtin.template": "templates",
+	"ansible.builtin.copy": "files",
+}
+
+CxPolicy[result] {
+	task := ansLib.tasks[id][t]
+	folder := module_to_folder[m]
+	copyOrTemplate := task[m]
+	ansLib.checkState(copyOrTemplate)
+
+	relative_path := sprintf("../%s", [folder])
+	contains(copyOrTemplate.src, relative_path)
+
+	result := {
+		"documentId": id,
+		"resourceType": m,
+		"resourceName": task.name,
+		"searchKey": sprintf("name={{%s}}.{{%s}}.src", [task.name, m]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("%s.src should not be a relative path", [m]),
+		"keyActualValue": sprintf("%s.src is a relative path", [m]),
+	}
+}
+

assets/queries/ansible/general/insecure_relative_path_resolution/test/negative1.yaml

@@ -0,0 +1,34 @@
+---
+- name: Negative Example
+  hosts: localhost
+  tasks:
+    - name: One
+      ansible.builtin.copy:
+        content:
+        dest: /etc/mine.conf
+        mode: "0644"
+    - name: Two
+      ansible.builtin.copy:
+        src: /home/example/files/foo.conf
+        dest: /etc/foo.conf
+        mode: "0644"
+
+---
+- name: Negative Example 2
+  hosts: localhost
+  tasks:
+    - name: One
+      ansible.builtin.template:
+        src: ../example/foo.j2
+        dest: /etc/file.conf
+        mode: "0644"
+    - name: Two
+      ansible.builtin.copy:
+        src: ../example/foo.conf
+        dest: /etc/foo.conf
+        mode: "0644"
+    - name: Three
+      win_template:
+        src: ../example/foo2.j2
+        dest: /etc/file.conf
+        mode: "0644"

assets/queries/ansible/general/insecure_relative_path_resolution/test/positive1.yaml

@@ -0,0 +1,14 @@
+---
+- name: Positive Example
+  hosts: localhost
+  tasks:
+    - name: One
+      ansible.builtin.template:
+        src: ../templates/foo.j2
+        dest: /etc/file.conf
+        mode: "0644"
+    - name: Two
+      ansible.builtin.copy:
+        src: ../files/foo.conf
+        dest: /etc/foo.conf
+        mode: "0644"

assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json

@@ -0,0 +1,14 @@
+[
+	{
+		"queryName": "Insecure Relative Path Resolution",
+		"severity": "LOW",
+		"line": 7,
+		"fileName": "positive1.yaml"
+	},
+	{
+		"queryName": "Insecure Relative Path Resolution",
+		"severity": "LOW",
+		"line": 12,
+		"fileName": "positive1.yaml"
+	}
+]

assets/queries/ansible/general/logging_of_sensitive_data/metadata.json

@@ -0,0 +1,12 @@
+{
+    "id": "59029ddf-e651-412b-ae7b-ff6d403184bc",
+    "queryName": "Logging of Sensitive Data",
+    "severity": "LOW",
+    "category": "Best Practices",
+    "descriptionText": "To keep sensitive values out of logs, tasks that expose them need to be marked defining 'no_log' and setting to True",
+    "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/no-log-password/",
+    "platform": "Ansible",
+    "descriptionID": "a700e724",
+    "cloudProvider": "common"
+  }
+

assets/queries/ansible/general/logging_of_sensitive_data/query.rego

@@ -0,0 +1,42 @@
+package Cx
+
+import data.generic.ansible as ansLib
+import data.generic.common as commonLib
+
+CxPolicy[result] {
+	task := ansLib.tasks[id][t]
+
+	not commonLib.valid_key(task, "no_log")
+
+	action := task["ansible.builtin.user"]
+	commonLib.valid_key(action, "password")
+
+	result := {
+		"documentId": id,
+		"resourceName": task.name,
+		"resourceType": "ansible.builtin.user",
+		"searchKey": sprintf("name={{%s}}", [task.name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "'no_log' should be defined and set to 'true' in order to not expose sensitive data",
+		"keyActualValue": "'no_log' is not defined",
+	}
+}
+
+CxPolicy[result] {
+	task := ansLib.tasks[id][t]
+
+	task.no_log == false
+
+	action := task["ansible.builtin.user"]
+	commonLib.valid_key(action, "password")
+
+	result := {
+		"documentId": id,
+		"resourceName": task.name,
+		"resourceType": "ansible.builtin.user",
+		"searchKey": sprintf("name={{%s}}.no_log", [task.name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "'no_log' should be set to 'true' in order to not expose sensitive data",
+		"keyActualValue": "'no_log' is set to false",
+	}
+}

assets/queries/ansible/general/logging_of_sensitive_data/test/negative1.yaml

@@ -0,0 +1,41 @@
+---
+- name: Negative playbook
+  hosts: localhost
+  tasks:
+    - name: foo
+      ansible.builtin.user:
+        name: john_doe
+        comment: John Doe
+        uid: 1040
+        group: admin
+        password: "{{ item }}"
+      with_items:
+        - wow
+      no_log: true
+
+---
+- name: Negative Playbook 2
+  hosts: localhost
+  tasks:
+    - name: bar
+      ansible.builtin.user:
+        name: john_doe
+        comment: John Doe
+        uid: 1040
+        group: admin
+      with_items:
+        - wow
+      no_log: false
+
+---
+- name: Negative Playbook 3
+  hosts: localhost
+  tasks:
+    - name: bar
+      ansible.builtin.user:
+        name: john_doe
+        comment: John Doe
+        uid: 1040
+        group: admin
+      with_items:
+        - wow

assets/queries/ansible/general/logging_of_sensitive_data/test/positive1.yaml

@@ -0,0 +1,14 @@
+---
+- name: Positive Playbook
+  hosts: localhost
+  tasks:
+    - name: bar
+      ansible.builtin.user:
+        name: john_doe
+        comment: John Doe
+        uid: 1040
+        group: admin
+        password: "{{ item }}"
+      with_items:
+        - wow
+      no_log: false

assets/queries/ansible/general/logging_of_sensitive_data/test/positive2.yaml

@@ -0,0 +1,13 @@
+---
+- name: Positive Playbook
+  hosts: localhost
+  tasks:
+    - name: bar
+      ansible.builtin.user:
+        name: john_doe
+        comment: John Doe
+        uid: 1040
+        group: admin
+        password: "{{ item }}"
+      with_items:
+        - wow

assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json

@@ -0,0 +1,14 @@
+[
+	{
+		"queryName": "Logging of Sensitive Data",
+		"severity": "LOW",
+		"line": 14,
+		"fileName": "positive1.yaml"
+	},
+	{
+		"queryName": "Logging of Sensitive Data",
+		"severity": "LOW",
+		"line": 5,
+		"fileName": "positive2.yaml"
+	}
+]

assets/queries/ansible/general/risky_file_permissions/metadata.json

@@ -0,0 +1,11 @@
+{
+    "id": "88841d5c-d22d-4b7e-a6a0-89ca50e44b9f",
+    "queryName": "Risky File Permissions",
+    "severity": "INFO",
+    "category": "Supply-Chain",
+    "descriptionText": "Some modules could end up creating new files on disk with permissions that might be too open or unpredictable",
+    "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/risky-file-permissions/",
+    "platform": "Ansible",
+    "descriptionID": "1f0e1485",
+    "cloudProvider": "common"
+  }

assets/queries/ansible/general/risky_file_permissions/query.rego

@@ -0,0 +1,91 @@
+package Cx
+
+import data.generic.ansible as ansLib
+import data.generic.common as common_lib
+
+
+CxPolicy[result] {
+	task := ansLib.tasks[id][e]
+    action := task[m]
+    action.mode == "preserve"
+
+    modules_with_preserve := ["copy", "template"]
+    count([x | x := modules_with_preserve[mp]; x == m]) == 0
+
+	result := {
+		"documentId": id,
+		"resourceType": m,
+		"resourceName": task.name,
+		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, m]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("%s does not allow setting 'preserve' value for 'mode' key", [m]),
+		"keyActualValue": sprintf("'Mode' key of %s is set to 'preserve'", [m]),
+	}
+}
+
+CxPolicy[result] {
+	task := ansLib.tasks[id][_]
+    modules := [
+        "archive", "community.general.archive", "assemble", "ansible.builtin.assemble", "copy", "ansible.builtin.copy", "file", "ansible.builtin.file", 
+        "get_url", "ansible.builtin.get_url", "template", "ansible.builtin.template",
+    ]
+	action := task[modules[m]]
+
+    state := object.get(action, "state", "none")
+	state != "absent"
+    state != "link"
+
+	not common_lib.valid_key(action, "recurse")
+    not file_module(action, modules[m])
+
+    not common_lib.valid_key(action, "mode")
+
+	result := {
+		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
+		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, modules[m]]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("All the permissions set in %s about creating files/directories", [modules[m]]),
+		"keyActualValue": sprintf("There are some permissions missing in %s and might create directory/file", [modules[m]]),
+	}
+}
+
+
+CxPolicy[result] {
+	task := ansLib.tasks[id][_]
+    modules := {
+        "blockinfile": false,
+        "ansible.builtin.blockinfile": false,
+        "htpasswd": true,
+        "community.general.htpasswd": true,
+        "ini_file": true,
+        "community.general.ini_file": true,
+        "lineinfile": false,
+        "ansible.builtin.lineinfile": false,
+    }
+
+	action := task[m]
+    not common_lib.valid_key(action, "mode")
+
+    bool := modules[m]
+    object.get(action, "create", bool) == true
+
+	result := {
+		"documentId": id,
+		"resourceType": modules[m],
+		"resourceName": task.name,
+		"searchKey": sprintf("name={{%s}}.{{%s}}", [task.name, m]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("%s 'create' key should set to 'false' or 'mode' key should be defined", [m]),
+		"keyActualValue": sprintf("%s 'create' key is set to 'true' and 'mode' key is not defined", [m]),
+	}
+}
+
+file_module(action, module_name){
+    module_name == "file"
+    object.get(action, "state", "file") == "file"
+} else {
+	module_name == "ansible.builtin.file"
+    object.get(action, "state", "file") == "file"
+}