From 8225243366539bb339a8cf76e54ec398e80a2f9d Mon Sep 17 00:00:00 2001 From: cx-henriqueAlvelos Date: Sat, 12 Aug 2023 14:15:57 +0100 Subject: [PATCH 1/5] fix(query): deprecated Memcached disabled query --- .../aws/memcached_disabled/metadata.json | 11 ---------- .../ansible/aws/memcached_disabled/query.rego | 22 ------------------- .../aws/memcached_disabled/test/negative.yaml | 8 ------- .../aws/memcached_disabled/test/positive.yaml | 8 ------- .../test/positive_expected_result.json | 7 ------ .../aws/memcached_disabled/metadata.json | 11 ---------- .../aws/memcached_disabled/query.rego | 19 ---------------- .../memcached_disabled/test/negative1.yaml | 13 ----------- .../memcached_disabled/test/negative2.json | 22 ------------------- .../memcached_disabled/test/positive1.yaml | 13 ----------- .../memcached_disabled/test/positive2.json | 22 ------------------- .../test/positive_expected_result.json | 14 ------------ 12 files changed, 170 deletions(-) delete mode 100644 assets/queries/ansible/aws/memcached_disabled/metadata.json delete mode 100644 assets/queries/ansible/aws/memcached_disabled/query.rego delete mode 100644 assets/queries/ansible/aws/memcached_disabled/test/negative.yaml delete mode 100644 assets/queries/ansible/aws/memcached_disabled/test/positive.yaml delete mode 100644 assets/queries/ansible/aws/memcached_disabled/test/positive_expected_result.json delete mode 100644 assets/queries/cloudFormation/aws/memcached_disabled/metadata.json delete mode 100644 assets/queries/cloudFormation/aws/memcached_disabled/query.rego delete mode 100644 assets/queries/cloudFormation/aws/memcached_disabled/test/negative1.yaml delete mode 100644 assets/queries/cloudFormation/aws/memcached_disabled/test/negative2.json delete mode 100644 assets/queries/cloudFormation/aws/memcached_disabled/test/positive1.yaml delete mode 100644 assets/queries/cloudFormation/aws/memcached_disabled/test/positive2.json delete mode 100644 assets/queries/cloudFormation/aws/memcached_disabled/test/positive_expected_result.json diff --git a/assets/queries/ansible/aws/memcached_disabled/metadata.json b/assets/queries/ansible/aws/memcached_disabled/metadata.json deleted file mode 100644 index 5e5616525e7..00000000000 --- a/assets/queries/ansible/aws/memcached_disabled/metadata.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "id": "2d55ef88-b616-4890-b822-47f280763e89", - "queryName": "Memcached Disabled", - "severity": "MEDIUM", - "category": "Encryption", - "descriptionText": "Check if the Memcached is disabled on the ElastiCache", - "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/elasticache_module.html#parameter-engine", - "platform": "Ansible", - "descriptionID": "1ff6d082", - "cloudProvider": "aws" -} diff --git a/assets/queries/ansible/aws/memcached_disabled/query.rego b/assets/queries/ansible/aws/memcached_disabled/query.rego deleted file mode 100644 index 756bfef4aaf..00000000000 --- a/assets/queries/ansible/aws/memcached_disabled/query.rego +++ /dev/null @@ -1,22 +0,0 @@ -package Cx - -import data.generic.ansible as ansLib - -CxPolicy[result] { - task := ansLib.tasks[id][t] - modules := {"community.aws.elasticache", "elasticache"} - elasticache := task[modules[m]] - ansLib.checkState(elasticache) - - elasticache.engine == "redis" - - result := { - "documentId": id, - "resourceType": modules[m], - "resourceName": task.name, - "searchKey": sprintf("name={{%s}}.{{%s}}.engine", [task.name, modules[m]]), - "issueType": "IncorrectValue", - "keyExpectedValue": "elasticache.engine to have Memcached enabled", - "keyActualValue": "elasticache.engine doesn't enable Memcached", - } -} diff --git a/assets/queries/ansible/aws/memcached_disabled/test/negative.yaml b/assets/queries/ansible/aws/memcached_disabled/test/negative.yaml deleted file mode 100644 index 3200e13bf35..00000000000 --- a/assets/queries/ansible/aws/memcached_disabled/test/negative.yaml +++ /dev/null @@ -1,8 +0,0 @@ -- name: Basic example - community.aws.elasticache: - name: test-please-delete - state: present - engine: memcached - cache_engine_version: 5.1.10 - node_type: cache.m1.small - num_nodes: 1 diff --git a/assets/queries/ansible/aws/memcached_disabled/test/positive.yaml b/assets/queries/ansible/aws/memcached_disabled/test/positive.yaml deleted file mode 100644 index fbf28c85443..00000000000 --- a/assets/queries/ansible/aws/memcached_disabled/test/positive.yaml +++ /dev/null @@ -1,8 +0,0 @@ -- name: Basic example - community.aws.elasticache: - name: "test-please-delete" - state: present - engine: redis - cache_engine_version: 5.1.10 - node_type: cache.m1.small - num_nodes: 1 diff --git a/assets/queries/ansible/aws/memcached_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/memcached_disabled/test/positive_expected_result.json deleted file mode 100644 index 69f7e976878..00000000000 --- a/assets/queries/ansible/aws/memcached_disabled/test/positive_expected_result.json +++ /dev/null @@ -1,7 +0,0 @@ -[ - { - "queryName": "Memcached Disabled", - "severity": "MEDIUM", - "line": 5 - } -] diff --git a/assets/queries/cloudFormation/aws/memcached_disabled/metadata.json b/assets/queries/cloudFormation/aws/memcached_disabled/metadata.json deleted file mode 100644 index 7c58bc882b4..00000000000 --- a/assets/queries/cloudFormation/aws/memcached_disabled/metadata.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "id": "dd0971a6-09c3-4168-8474-a7ef8fbfd99d", - "queryName": "Memcached Disabled", - "severity": "MEDIUM", - "category": "Encryption", - "descriptionText": "Check if the Memcached is disabled on the ElastiCache", - "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html#cfn-elasticache-cachecluster-engine", - "platform": "CloudFormation", - "descriptionID": "470e2a53", - "cloudProvider": "aws" -} diff --git a/assets/queries/cloudFormation/aws/memcached_disabled/query.rego b/assets/queries/cloudFormation/aws/memcached_disabled/query.rego deleted file mode 100644 index 226c5b842a6..00000000000 --- a/assets/queries/cloudFormation/aws/memcached_disabled/query.rego +++ /dev/null @@ -1,19 +0,0 @@ -package Cx - -import data.generic.cloudformation as cf_lib - -CxPolicy[result] { - ecc := input.document[i].Resources[name] - ecc.Type == "AWS::ElastiCache::CacheCluster" - ecc.Properties.Engine == "redis" - - result := { - "documentId": input.document[i].id, - "resourceType": ecc.Type, - "resourceName": cf_lib.get_resource_name(ecc, name), - "searchKey": sprintf("Resources.%s.Properties.Engine", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("Resources.%s.Properties.Engine should be 'memcached'", [name]), - "keyActualValue": sprintf("Resources.%s.Properties.Engine is 'redis'", [name]), - } -} diff --git a/assets/queries/cloudFormation/aws/memcached_disabled/test/negative1.yaml b/assets/queries/cloudFormation/aws/memcached_disabled/test/negative1.yaml deleted file mode 100644 index 236465b05d3..00000000000 --- a/assets/queries/cloudFormation/aws/memcached_disabled/test/negative1.yaml +++ /dev/null @@ -1,13 +0,0 @@ -AWSTemplateFormatVersion: 2010-09-09 -Description: A sample template -Resources: - ElasticacheCluster: - Type: 'AWS::ElastiCache::CacheCluster' - Properties: - Engine: memcached - CacheNodeType: cache.t2.micro - NumCacheNodes: '1' - VpcSecurityGroupIds: - - !GetAtt - - ElasticacheSecurityGroup - - GroupId diff --git a/assets/queries/cloudFormation/aws/memcached_disabled/test/negative2.json b/assets/queries/cloudFormation/aws/memcached_disabled/test/negative2.json deleted file mode 100644 index deb0eb76260..00000000000 --- a/assets/queries/cloudFormation/aws/memcached_disabled/test/negative2.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "Description": "A sample template", - "Resources": { - "ElasticacheCluster2": { - "Type": "AWS::ElastiCache::CacheCluster", - "Properties": { - "Engine": "memcached", - "CacheNodeType": "cache.t2.micro", - "NumCacheNodes": "1", - "VpcSecurityGroupIds": [ - { - "Fn::GetAtt": [ - "ElasticacheSecurityGroup", - "GroupId" - ] - } - ] - } - } - }, - "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" -} diff --git a/assets/queries/cloudFormation/aws/memcached_disabled/test/positive1.yaml b/assets/queries/cloudFormation/aws/memcached_disabled/test/positive1.yaml deleted file mode 100644 index dc011291102..00000000000 --- a/assets/queries/cloudFormation/aws/memcached_disabled/test/positive1.yaml +++ /dev/null @@ -1,13 +0,0 @@ -AWSTemplateFormatVersion: 2010-09-09 -Description: A sample template -Resources: - ElasticacheCluster3: - Type: 'AWS::ElastiCache::CacheCluster' - Properties: - Engine: redis - CacheNodeType: cache.t2.micro - NumCacheNodes: '1' - VpcSecurityGroupIds: - - !GetAtt - - ElasticacheSecurityGroup - - GroupId diff --git a/assets/queries/cloudFormation/aws/memcached_disabled/test/positive2.json b/assets/queries/cloudFormation/aws/memcached_disabled/test/positive2.json deleted file mode 100644 index 109f9eec8e3..00000000000 --- a/assets/queries/cloudFormation/aws/memcached_disabled/test/positive2.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "Description": "A sample template", - "Resources": { - "ElasticacheCluster4": { - "Type": "AWS::ElastiCache::CacheCluster", - "Properties": { - "Engine": "redis", - "CacheNodeType": "cache.t2.micro", - "NumCacheNodes": "1", - "VpcSecurityGroupIds": [ - { - "Fn::GetAtt": [ - "ElasticacheSecurityGroup", - "GroupId" - ] - } - ] - } - } - }, - "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" -} diff --git a/assets/queries/cloudFormation/aws/memcached_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/memcached_disabled/test/positive_expected_result.json deleted file mode 100644 index 35e90eda18f..00000000000 --- a/assets/queries/cloudFormation/aws/memcached_disabled/test/positive_expected_result.json +++ /dev/null @@ -1,14 +0,0 @@ -[ - { - "queryName": "Memcached Disabled", - "severity": "MEDIUM", - "line": 7, - "fileName": "positive1.yaml" - }, - { - "queryName": "Memcached Disabled", - "severity": "MEDIUM", - "line": 7, - "fileName": "positive2.json" - } -] From a0a5ce826ad948e106d1a2e5bb6c218e129c7645 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Thu, 8 Feb 2024 15:30:20 +0000 Subject: [PATCH 2/5] add yaml rules to warn --- .github/scripts/samples-linters/yamllint_ansible.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/scripts/samples-linters/yamllint_ansible.yml b/.github/scripts/samples-linters/yamllint_ansible.yml index c6faaedff9c..4f85cab29c4 100644 --- a/.github/scripts/samples-linters/yamllint_ansible.yml +++ b/.github/scripts/samples-linters/yamllint_ansible.yml @@ -6,5 +6,9 @@ rules: indentation: indent-sequences: consistent comments-indentation: disable + new-line-at-end-of-file: + level: warning + trailing-spaces: + level: warning ignore: | **/kms_key_with_full_permissions/test/positive.yaml From dedd30a3f30b1ba8b10a54a859a6a5523b1cff11 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Thu, 8 Feb 2024 15:34:50 +0000 Subject: [PATCH 3/5] set to info --- .github/scripts/samples-linters/yamllint_ansible.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/scripts/samples-linters/yamllint_ansible.yml b/.github/scripts/samples-linters/yamllint_ansible.yml index 4f85cab29c4..e9a52036056 100644 --- a/.github/scripts/samples-linters/yamllint_ansible.yml +++ b/.github/scripts/samples-linters/yamllint_ansible.yml @@ -7,8 +7,8 @@ rules: indent-sequences: consistent comments-indentation: disable new-line-at-end-of-file: - level: warning + level: info trailing-spaces: - level: warning + level: info ignore: | **/kms_key_with_full_permissions/test/positive.yaml From 47283144ba50f9d1dc15fd9d318df09186266662 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Thu, 8 Feb 2024 15:41:05 +0000 Subject: [PATCH 4/5] disable --- .github/scripts/samples-linters/yamllint_ansible.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/scripts/samples-linters/yamllint_ansible.yml b/.github/scripts/samples-linters/yamllint_ansible.yml index e9a52036056..ebf1791e5f7 100644 --- a/.github/scripts/samples-linters/yamllint_ansible.yml +++ b/.github/scripts/samples-linters/yamllint_ansible.yml @@ -6,9 +6,7 @@ rules: indentation: indent-sequences: consistent comments-indentation: disable - new-line-at-end-of-file: - level: info - trailing-spaces: - level: info + new-line-at-end-of-file: disable + trailing-spaces: disable ignore: | **/kms_key_with_full_permissions/test/positive.yaml From d8480a1091625e02634e889c34b64935989dad82 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Thu, 8 Feb 2024 15:51:42 +0000 Subject: [PATCH 5/5] fix files --- .../test/negative1.yaml | 62 +++++++++---------- .../test/positive1.yaml | 60 +++++++++--------- 2 files changed, 61 insertions(+), 61 deletions(-) diff --git a/assets/queries/ansible/general/unpinned_package_version/test/negative1.yaml b/assets/queries/ansible/general/unpinned_package_version/test/negative1.yaml index c6425ea05af..71cbc18fdb8 100644 --- a/assets/queries/ansible/general/unpinned_package_version/test/negative1.yaml +++ b/assets/queries/ansible/general/unpinned_package_version/test/negative1.yaml @@ -18,43 +18,43 @@ name: sudo state: latest update_only: true - + - name: Install nmap community.general.zypper: name: nmap state: present - + - name: Install package without using cache community.general.apk: name: foo state: present no_cache: true - + - name: Install apache httpd ansible.builtin.apt: name: apache2 state: present - + - name: Update Gemfile in another directory community.general.bundler: state: present chdir: ~/rails_project - + - name: Install a modularity appstream with defined profile ansible.builtin.dnf: - name: '@postgresql/client' + name: "@postgresql/client" state: present - + - name: Install rake community.general.gem: name: rake state: present - + - name: Install formula foo with 'brew' from cask community.general.homebrew: name: homebrew/cask/foo state: present - + - name: Install Green Balls plugin community.general.jenkins_plugin: name: greenballs @@ -64,78 +64,78 @@ username: user_jenkins password: userpass_jenkins register: result - + - name: Install packages based on package.json community.general.npm: path: /app/location state: present - + - name: Install nmap community.general.openbsd_pkg: name: nmap state: present - + - name: Install ntpdate ansible.builtin.package: name: ntpdate state: present - + - name: Install package bar from file community.general.pacman: name: ~/bar-1.0-1-any.pkg.tar.xz state: present - + - name: Install package bar from file community.general.pacman: name: ~/bar-1.0-1-any.pkg.tar.xz state: present - + - name: Install finger daemon community.general.pkg5: name: service/network/finger state: present - + - name: Install several packages community.general.pkgutil: name: - - CSWsudo - - CSWtop + - CSWsudo + - CSWtop state: present - + - name: Install package foo community.general.portage: package: foo state: present - + - name: Make sure that it is the most updated package community.general.slackpkg: name: foo state: present - + - name: Make sure spell foo is installed community.general.sorcery: spell: foo state: present - + - name: Install package unzip community.general.swdepot: name: unzip state: present - depot: 'repository:/path' - + depot: "repository:/path" + - name: Install multiple packages win_chocolatey: name: - - procexp - - putty - - windirstat + - procexp + - putty + - windirstat state: present - + - name: Install "imagemin" node.js package globally. community.general.yarn: name: imagemin global: true - + - name: Install a list of packages (suitable replacement for 2.11 loop deprecation warning) ansible.builtin.yum: name: @@ -143,8 +143,8 @@ - postgresql - postgresql-server state: present - + - name: Install local rpm file community.general.zypper: name: /tmp/fancy-software.rpm - state: present \ No newline at end of file + state: present diff --git a/assets/queries/ansible/general/unpinned_package_version/test/positive1.yaml b/assets/queries/ansible/general/unpinned_package_version/test/positive1.yaml index 6b05abf809a..b1f95ec39a1 100644 --- a/assets/queries/ansible/general/unpinned_package_version/test/positive1.yaml +++ b/assets/queries/ansible/general/unpinned_package_version/test/positive1.yaml @@ -22,43 +22,43 @@ name: sudo state: latest update_only: false - + - name: Install nmap community.general.zypper: name: nmap state: latest - + - name: Install package without using cache community.general.apk: name: foo state: latest no_cache: true - + - name: Install apache httpd ansible.builtin.apt: name: apache2 state: latest - + - name: Update Gemfile in another directory community.general.bundler: state: latest chdir: ~/rails_project - + - name: Install a modularity appstream with defined profile ansible.builtin.dnf: - name: '@postgresql/client' + name: "@postgresql/client" state: latest - + - name: Install rake community.general.gem: name: rake state: latest - + - name: Install formula foo with 'brew' from cask community.general.homebrew: name: homebrew/cask/foo state: latest - + - name: Install Green Balls plugin community.general.jenkins_plugin: name: greenballs @@ -67,74 +67,74 @@ username: user_jenkins password: userpass_jenkins register: result - + - name: Install packages based on package.json community.general.npm: path: /app/location state: latest - + - name: Install nmap community.general.openbsd_pkg: name: nmap state: latest - + - name: Install ntpdate ansible.builtin.package: name: ntpdate state: latest - + - name: Install package bar from file community.general.pacman: name: ~/bar-1.0-1-any.pkg.tar.xz state: latest - + - name: Install finger daemon community.general.pkg5: name: service/network/finger state: latest - + - name: Install several packages community.general.pkgutil: name: - - CSWsudo - - CSWtop + - CSWsudo + - CSWtop state: latest - + - name: Install package foo community.general.portage: package: foo state: latest - + - name: Make sure that it is the most updated package community.general.slackpkg: name: foo state: latest - + - name: Make sure spell foo is installed community.general.sorcery: spell: foo state: latest - + - name: Install package unzip community.general.swdepot: name: unzip state: latest - depot: 'repository:/path' - + depot: "repository:/path" + - name: Install multiple packages win_chocolatey: name: - - procexp - - putty - - windirstat + - procexp + - putty + - windirstat state: latest - + - name: Install "imagemin" node.js package globally. community.general.yarn: name: imagemin global: true state: latest - + - name: Install a list of packages (suitable replacement for 2.11 loop deprecation warning) ansible.builtin.yum: name: @@ -142,8 +142,8 @@ - postgresql - postgresql-server state: latest - + - name: Install local rpm file community.general.zypper: name: /tmp/fancy-software.rpm - state: latest \ No newline at end of file + state: latest