Merge branch 'master' into experimental-features

assets/libraries/ansible.rego

@@ -147,3 +147,13 @@ isEntireNetwork(cidr) {
 	cidrs = {"0.0.0.0/0", "::/0"}
 	cidr == cidrs[j]
 }
+
+installer_modules := [
+	"community.general.apk", "ansible.builtin.apt", "ansible.builtin.apt", "community.general.bundler", "ansible.builtin.dnf", "community.general.easy_install", 
+	"community.general.gem", "community.general.homebrew", "community.general.jenkins_plugin", "community.general.npm", "community.general.openbsd_pkg", 
+	"ansible.builtin.package", "ansible.builtin.package", "community.general.pear", "community.general.pacman", "ansible.builtin.pip", "community.general.pkg5", 
+	"community.general.pkgutil", "community.general.pkgutil", "community.general.portage", "community.general.slackpkg", "community.general.sorcery", 
+	"community.general.swdepot", "win_chocolatey", "community.general.yarn", "ansible.builtin.yum", "community.general.zypper", "apk", "apt", "bower", "bundler", 
+	"dnf", "easy_install", "gem", "homebrew", "jenkins_plugin", "npm", "openbsd_package", "openbsd_pkg", "package", "pacman", "pear", "pip", "pkg5", "pkgutil", 
+	"portage", "slackpkg", "sorcery", "swdepot", "win_chocolatey", "yarn", "yum", "zypper",
+]

assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json

@@ -0,0 +1,12 @@
+{
+    "id": "0e75052f-cc02-41b8-ac39-a78017527e95",
+    "queryName": "Privilege Escalation Using Become Plugin",
+    "severity": "MEDIUM",
+    "category": "Access Control",
+    "descriptionText": "In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true'",
+    "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/partial-become/#problematic-code",
+    "platform": "Ansible",
+    "descriptionID": "11502e38",
+    "cloudProvider": "common"
+  }
+

assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego

@@ -0,0 +1,68 @@
+package Cx
+
+import data.generic.ansible as ansLib
+import data.generic.common as commonLib
+
+CxPolicy[result] {
+	playbook := input.document[i].playbooks[_]
+	playbook.become == false
+	commonLib.valid_key(playbook, "become_user")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "n/a",
+		"resourceName": "n/a",
+		"searchKey": "become",
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("'become' should be defined and set to 'true' in order to perform an action with %s", [playbook.become_user]),
+		"keyActualValue": "'become' is set to 'false'",
+	}
+}
+
+CxPolicy[result] {
+	playbook := input.document[i].playbooks[_]
+	not commonLib.valid_key(playbook, "become")
+	commonLib.valid_key(playbook, "become_user")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "n/a",
+		"resourceName": "n/a",
+		"searchKey": sprintf("become_user={{%s}}", [playbook.become_user]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("'become' should be defined and set to 'true' in order to perform an action with %s", [playbook.become_user]),
+		"keyActualValue": "'become' is not defined",
+	}
+}
+
+CxPolicy[result] {
+	task := ansLib.tasks[id][t]
+	task.become == false
+	commonLib.valid_key(task, "become_user")
+
+    result := {
+		"documentId": id,
+		"resourceType": "n/a",
+		"resourceName": "n/a",
+		"searchKey": sprintf("name={{%s}}.become_user={{%s}}.become", [task.name, task.become_user]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("'become' should be to 'true' in order to perform an action with %s", [task.become_user]),
+		"keyActualValue": "'become' is set to 'false'",
+	}
+}
+
+CxPolicy[result] {
+	task := ansLib.tasks[id][t]
+	not commonLib.valid_key(task, "become")
+	commonLib.valid_key(task, "become_user")
+
+    result := {
+		"documentId": id,
+		"resourceType": "n/a",
+		"resourceName": "n/a",
+		"searchKey": sprintf("name={{%s}}.become_user={{%s}}", [task.name, task.become_user]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("'become' should be defined and set to 'true' in order to perform an action with %s", [task.become_user]),
+		"keyActualValue": "'become' is not defined",
+	}
+}

assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/negative1.yaml

@@ -0,0 +1,17 @@
+---
+- hosts: localhost
+  become_user: postgres
+  become: true
+  tasks:
+    - name: some task
+      ansible.builtin.command: whoamyou
+      changed_when: false
+
+---
+- hosts: localhost
+  tasks:
+    - name: become from the same scope
+      ansible.builtin.command: whoami
+      become: true
+      become_user: postgres
+      changed_when: false

assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive1.yaml

@@ -0,0 +1,62 @@
+---
+- hosts: localhost
+  name: become_user without become
+  become_user: bar
+
+  tasks:
+    - name: Simple hello
+      ansible.builtin.debug:
+        msg: hello
+
+---
+- hosts: localhost
+  name: become_user with become false
+  become_user: root
+  become: false
+
+  tasks:
+    - name: Simple hello
+      ansible.builtin.debug:
+        msg: hello
+
+---
+- hosts: localhost
+  tasks:
+    - name: become and become_user on different tasks
+      block:
+        - name: Sample become
+          become: true
+          ansible.builtin.command: ls .
+        - name: Sample become_user
+          become_user: foo
+          ansible.builtin.command: ls .
+
+---
+- hosts: localhost
+  tasks:
+    - name: become false
+      block:
+        - name: Sample become
+          become: true
+          ansible.builtin.command: ls .
+        - name: Sample become_user
+          become_user: postgres
+          become: false
+          ansible.builtin.command: ls .
+
+---
+- hosts: localhost
+  tasks:
+    - name: become_user with become task as false
+      ansible.builtin.command: whoami
+      become_user: mongodb
+      become: false
+      changed_when: false
+
+---
+- hosts: localhost
+  tasks:
+    - name: become_user without become
+      ansible.builtin.command: whoami
+      become_user: mysql
+      changed_when: false

assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json

@@ -0,0 +1,38 @@
+[
+	{
+		"queryName": "Privilege Escalation Using Become Plugin",
+		"severity": "MEDIUM",
+		"line": 4,
+		"fileName": "positive1.yaml"
+	},
+    {
+		"queryName": "Privilege Escalation Using Become Plugin",
+		"severity": "MEDIUM",
+		"line": 15,
+		"fileName": "positive1.yaml"
+	},
+    {
+		"queryName": "Privilege Escalation Using Become Plugin",
+		"severity": "MEDIUM",
+		"line": 31,
+		"fileName": "positive1.yaml"
+	},
+	{
+		"queryName": "Privilege Escalation Using Become Plugin",
+		"severity": "MEDIUM",
+		"line": 44,
+		"fileName": "positive1.yaml"
+	},
+	{
+		"queryName": "Privilege Escalation Using Become Plugin",
+		"severity": "MEDIUM",
+		"line": 53,
+		"fileName": "positive1.yaml"
+	},
+	{
+		"queryName": "Privilege Escalation Using Become Plugin",
+		"severity": "MEDIUM",
+		"line": 61,
+		"fileName": "positive1.yaml"
+	}
+]

assets/queries/ansible/general/unpinned_package_version/metadata.json

@@ -0,0 +1,12 @@
+{
+    "id": "c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8",
+    "queryName": "Unpinned Package Version",
+    "severity": "LOW",
+    "category": "Supply-Chain",
+    "descriptionText": "Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service",
+    "descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/package-latest/",
+    "platform": "Ansible",
+    "descriptionID": "43e877b3",
+    "cloudProvider": "common"
+  }
+

assets/queries/ansible/general/unpinned_package_version/query.rego

@@ -0,0 +1,44 @@
+package Cx
+
+import data.generic.ansible as ansLib
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+	task := ansLib.tasks[id][_]
+	package_installer := task[ansLib.installer_modules[m]]
+	ansLib.checkState(package_installer)
+
+	not common_lib.valid_key(package_installer, "version")
+    not common_lib.valid_key(package_installer, "update_only")
+    package_installer.state == "latest"
+
+	result := {
+		"documentId": id,
+		"resourceType": ansLib.installer_modules[m],
+		"resourceName": task.name,
+		"searchKey": sprintf("name={{%s}}.{{%s}}.state", [task.name, ansLib.installer_modules[m]]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'",
+		"keyActualValue": "State's task is set to 'latest'",
+	}
+}
+
+CxPolicy[result] {
+	task := ansLib.tasks[id][_]
+	package_installer := task[ansLib.installer_modules[m]]
+	ansLib.checkState(package_installer)
+
+	not common_lib.valid_key(package_installer, "version")
+    package_installer.update_only == false
+    package_installer.state == "latest"
+
+	result := {
+		"documentId": id,
+		"resourceType": ansLib.installer_modules[m],
+		"resourceName": task.name,
+		"searchKey": sprintf("name={{%s}}.{{%s}}.state", [task.name, ansLib.installer_modules[m]]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'",
+		"keyActualValue": "State's task is set to 'latest'",
+	}
+}