Merge pull request #7052 from Checkmarx/AST-40641

fix(query): fix bugs and small improvements to TF queries
Checkmarx · May 17, 2024 · d342f4c · d342f4c
2 parents 9fca6c8 + 79a5709
commit d342f4c
Show file tree

Hide file tree

Showing 7 changed files with 14 additions and 14 deletions.
diff --git a/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/query.rego b/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/query.rego
@@ -14,8 +14,8 @@ CxPolicy[result] {
 		"resourceName": tf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("aws_instance.{{%s}}", [name]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("'monitoring' should be defined and not null", [name]),
-		"keyActualValue": sprintf("'monitoring' is undefined or null", [name]),
+		"keyExpectedValue": "'monitoring' should be defined and not null",
+		"keyActualValue": "'monitoring' is undefined or null",
 		"searchLine": common_lib.build_search_line(["resource", "aws_instance", name], []),
 		"remediation": "monitoring = true",
 		"remediationType": "addition",
@@ -34,8 +34,8 @@ CxPolicy[result] {
 		"resourceName": "n/a",
 		"searchKey": sprintf("module[%s]", [name]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("'monitoring' should be defined and not null", [name]),
-		"keyActualValue": sprintf("'monitoring' is undefined or null", [name]),
+		"keyExpectedValue": "'monitoring' should be defined and not null",
+		"keyActualValue": "'monitoring' is undefined or null",
 		"searchLine": common_lib.build_search_line(["module", name], []),
 		"remediation": sprintf("%s = true",[keyToCheck]),
 		"remediationType": "addition",
@@ -53,8 +53,8 @@ CxPolicy[result] {
 		"resourceName": tf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("aws_instance.{{%s}}.monitoring", [name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("'monitoring' should be set to true", [name]),
-		"keyActualValue": sprintf("'monitoring' is set to false", [name]),
+		"keyExpectedValue": sprintf("%s.'monitoring' should be set to true", [name]),
+		"keyActualValue": sprintf("%s.'monitoring' is set to false", [name]),
 		"searchLine": common_lib.build_search_line(["resource", "aws_instance", name, "monitoring"], []),
 		"remediation": json.marshal({
 			"before": "false",
@@ -76,8 +76,8 @@ CxPolicy[result] {
 		"resourceName": "n/a",
 		"searchKey": sprintf("module[%s].%s", [name,keyToCheck]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("'monitoring' should be set to true", [name]),
-		"keyActualValue": sprintf("'monitoring' is set to false", [name]),
+		"keyExpectedValue": sprintf("%s.'monitoring' should be set to true", [name]),
+		"keyActualValue": sprintf("%s.'monitoring' is set to false", [name]),
 		"searchLine": common_lib.build_search_line(["module", name, keyToCheck], []),
 		"remediation": json.marshal({
 			"before": "false",

diff --git a/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/query.rego b/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/query.rego
@@ -3,30 +3,30 @@ package Cx
 import data.generic.common as common_lib
 import data.generic.terraform as tf_lib
 
-#CxPolicy for ressource iam policy
+#CxPolicy for resource iam policy
 CxPolicy[result] {
 	resourceType := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"}
 	resource := input.document[i].resource[resourceType[idx]][name]
 	policy := common_lib.json_unmarshal(resource.policy)
 	st := common_lib.get_statement(policy)
 	statement := st[_]
-
+ 
 
 	check_iam_action(statement) == true
-	not check_iam_ressource(statement)
+	not check_iam_resource(statement)
 
     result := {
 		"documentId": input.document[i].id,
 		"resourceType": resourceType[idx],
 		"resourceName": tf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("%s[%s].policy", [resourceType[idx], name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("%s[%s].policy should be misconfigured", [name]),
-		"keyActualValue": sprintf("%s[%s].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", [name])
+		"keyExpectedValue": sprintf("[%s].policy should be misconfigured", [name]),
+		"keyActualValue": sprintf("[%s].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", [name])
 	}
 }
 
-check_iam_ressource(statement) {
+check_iam_resource(statement) {
 	is_string(statement.Resource)
 	regex.match("(^arn:aws:lambda:.*:.*:function:[a-zA-Z0-9_-]+:[*]$)", statement.Resource)
 	regex.match("(^arn:aws:lambda:.*:.*:function:[a-zA-Z0-9_-]+$)", statement.Resource)

diff --git a/...terfaces_dont_use_public_ip/metadata.json → ...k_interfaces_with_public_ip/metadata.json b/...terfaces_dont_use_public_ip/metadata.json → ...k_interfaces_with_public_ip/metadata.json
diff --git a/..._interfaces_dont_use_public_ip/query.rego → ...work_interfaces_with_public_ip/query.rego b/..._interfaces_dont_use_public_ip/query.rego → ...work_interfaces_with_public_ip/query.rego
diff --git a/...faces_dont_use_public_ip/test/negative.tf → ...nterfaces_with_public_ip/test/negative.tf b/...faces_dont_use_public_ip/test/negative.tf → ...nterfaces_with_public_ip/test/negative.tf
diff --git a/...faces_dont_use_public_ip/test/positive.tf → ...nterfaces_with_public_ip/test/positive.tf b/...faces_dont_use_public_ip/test/positive.tf → ...nterfaces_with_public_ip/test/positive.tf
diff --git a/...lic_ip/test/positive_expected_result.json → ...lic_ip/test/positive_expected_result.json b/...lic_ip/test/positive_expected_result.json → ...lic_ip/test/positive_expected_result.json