Merge pull request #6292 from Checkmarx/kics706

fix(query): serverless_function_without_unique_iam_role
Checkmarx · Apr 12, 2023 · 4e841b2 · 4e841b2
2 parents 7b0ba2d + 7235a99
commit 4e841b2
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 0 deletions.
diff --git a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/query.rego b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/query.rego
@@ -6,6 +6,7 @@ import data.generic.serverlessfw as sfw_lib
 CxPolicy[result] {
 	document := input.document[i]
 	functions := document.functions
+	is_object(functions)
 	function := functions[fname]
 
 	not common_lib.valid_key(function, "role")
@@ -21,3 +22,23 @@ CxPolicy[result] {
 		"searchLine": common_lib.build_search_line(["functions", fname], []),
 	}
 }
+
+CxPolicy[result] {
+	document := input.document[i]
+	functions := document.functions
+	is_array(functions)
+	function := functions[k][fname]
+
+	not common_lib.valid_key(function, "role")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": sfw_lib.resourceTypeMapping("function", document.provider.name),
+		"resourceName": fname,
+		"searchKey": sprintf("functions[%s].%s", [k,fname]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "'role' should be defined inside the function",
+		"keyActualValue": "'role' is not defined",
+		"searchLine": common_lib.build_search_line(["functions",k ,fname], []),
+	}
+}
diff --git a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/negative2.yml b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/negative2.yml
@@ -0,0 +1,13 @@
+service: service
+frameworkVersion: '2' 
+provider:
+  name: aws
+  runtime: nodejs12.x
+
+functions:
+  - hello:
+      handler: handler.hello
+      onError: arn:aws:sns:us-east-1:XXXXXX:test
+      tags:
+        foo: bar
+      role: arn:aws:iam::XXXXXX:role/role
diff --git a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/positive2.yml b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/positive2.yml
@@ -0,0 +1,12 @@
+service: service
+frameworkVersion: '2' 
+provider:
+  name: aws
+  runtime: nodejs12.x
+
+functions:
+  - hello:
+      handler: handler.hello
+      onError: arn:aws:sns:us-east-1:XXXXXX:test
+      tags:
+        foo: bar
diff --git a/...rverlessFW/serverless_function_without_unique_iam_role/test/positive_expected_result.json b/...rverlessFW/serverless_function_without_unique_iam_role/test/positive_expected_result.json
@@ -4,5 +4,11 @@
     "severity": "MEDIUM",
     "line": 8,
     "fileName": "positive1.yml"
+  },
+  {
+    "queryName": "Serverless Function Without Unique IAM Role",
+    "severity": "MEDIUM",
+    "line": 8,
+    "fileName": "positive2.yml"
   }
 ]