Pushing up to Liam

aquasecurity · Oct 7, 2021 · 4bac308 · 4bac308
1 parent 2d2777d
commit 4bac308
Show file tree

Hide file tree

Showing 67 changed files with 1,588 additions and 72 deletions.
diff --git a/.idea/.gitignore b/.idea/.gitignore
diff --git a/.idea/cfsec.iml b/.idea/cfsec.iml
diff --git a/.idea/modules.xml b/.idea/modules.xml
diff --git a/.idea/vcs.xml b/.idea/vcs.xml
diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ module github.com/aquasecurity/cfsec
 go 1.16
 
 require (
-	github.com/aquasecurity/defsec v0.0.3-0.20210924154209-d91df1dcd1f4
+	github.com/aquasecurity/defsec v0.0.3-0.20210927095822-3b46670e9b41
 	github.com/google/go-cmp v0.5.5 // indirect
 	github.com/liamg/clinch v1.5.6
 	github.com/liamg/jfather v0.0.2

diff --git a/go.sum b/go.sum
@@ -36,6 +36,8 @@ github.com/aquasecurity/defsec v0.0.3-0.20210924123050-47f3bbb1359a h1:KlIDX0v8m
 github.com/aquasecurity/defsec v0.0.3-0.20210924123050-47f3bbb1359a/go.mod h1:E53TX/xJkcgpJyF5GPSat3Z+cZiLyvSNBdJAyfdl3fc=
 github.com/aquasecurity/defsec v0.0.3-0.20210924154209-d91df1dcd1f4 h1:/VVDhCTxISNLMtIdN4TFgzNKIVzq7pbRxp1t5fujR8U=
 github.com/aquasecurity/defsec v0.0.3-0.20210924154209-d91df1dcd1f4/go.mod h1:E53TX/xJkcgpJyF5GPSat3Z+cZiLyvSNBdJAyfdl3fc=
+github.com/aquasecurity/defsec v0.0.3-0.20210927095822-3b46670e9b41 h1:Djg0qtBwF1yBNx0Pv17KXKgZMcoAiN95p6xLl6Xofwo=
+github.com/aquasecurity/defsec v0.0.3-0.20210927095822-3b46670e9b41/go.mod h1:E53TX/xJkcgpJyF5GPSat3Z+cZiLyvSNBdJAyfdl3fc=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=

diff --git a/internal/app/cfsec/adapter/aws/adapt.go b/internal/app/cfsec/adapter/aws/adapt.go
@@ -9,6 +9,9 @@ import (
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/cloudwatch"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/codebuild"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/config"
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/documentdb"
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/dynamodb"
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/ebs"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/s3"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/parser"
 	"github.com/aquasecurity/defsec/provider/aws"
@@ -25,6 +28,9 @@ func Adapt(cfFile parser.FileContext) aws.AWS {
 		CloudWatch: cloudwatch.Adapt(cfFile),
 		CodeBuild: codebuild.Adapt(cfFile),
 		Config: config.Adapt(cfFile),
+		DocumentDB: documentdb.Adapt(cfFile),
+		DynamoDB: dynamodb.Adapt(cfFile),
+		EBS: ebs.Adapt(cfFile),
 		S3: s3.Adapt(cfFile),
 	}
 }

diff --git a/internal/app/cfsec/adapter/aws/documentdb/cluster.go b/internal/app/cfsec/adapter/aws/documentdb/cluster.go
@@ -3,12 +3,78 @@ package documentdb
 import (
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/parser"
 	"github.com/aquasecurity/defsec/provider/aws/documentdb"
+	"github.com/aquasecurity/defsec/types"
 )
 
 func getClusters(ctx parser.FileContext) (clusters []documentdb.Cluster) {
 
 	clusterResources := ctx.GetResourceByType("AWS::DocDB::DBCluster")
 
+	for _, r := range clusterResources {
+		cluster := documentdb.Cluster{
+			Metadata: r.Metadata(),
+			Identifier: getIdentifier(r),
+			EnabledLogExports: getLogExports(r),
+			StorageEncrypted:  isStorageEncrypted(r),
+			KMSKeyID:          getKmsKeyId(r),
+		}
 
+		updateInstancesOnCluster(&cluster, ctx)
 
+		clusters = append(clusters, cluster)
+	}
+	return clusters
+}
+
+func updateInstancesOnCluster(cluster *documentdb.Cluster, ctx parser.FileContext) {
+
+	instanceResources := ctx.GetResourceByType("AWS::DocDB::DBInstance")
+
+	for _, r := range instanceResources {
+		 clusterIdentifier := getIdentifier(r)
+		 if clusterIdentifier == cluster.Identifier {
+			 cluster.Instances = append(cluster.Instances, documentdb.Instance{
+				 Metadata: r.Metadata(),
+				 KMSKeyID: cluster.KMSKeyID,
+			 })
+		 }
+	}
+}
+
+func getKmsKeyId(r *parser.Resource) types.StringValue {
+	kmsIdProp := r.GetProperty("KmsKeyId")
+	if kmsIdProp.IsNil() || kmsIdProp.IsNotString() {
+		return types.StringDefault("", r.Metadata())
+	}
+	return kmsIdProp.AsStringValue()
+}
+
+func getLogExports(r *parser.Resource) (logExports []types.StringValue) {
+
+	exportsList := r.GetProperty("EnableCloudwatchLogsExports")
+
+	if exportsList.IsNil() || exportsList.IsNotList() {
+		return logExports
+	}
+
+	for _, export := range exportsList.AsList() {
+		logExports = append(logExports, export.AsStringValue())
+	}
+	return logExports
+}
+
+func isStorageEncrypted(r *parser.Resource) types.BoolValue {
+	encryptedProp := r.GetProperty("StorageEncrypted")
+	if encryptedProp.IsNil() || encryptedProp.IsNotBool() {
+		return types.BoolDefault(false, r.Metadata())
+	}
+	return encryptedProp.AsBoolValue()
+}
+
+func getIdentifier(r *parser.Resource) types.StringValue {
+	identifierProp := r.GetProperty("DBClusterIdentifier")
+	if identifierProp.IsNil() {
+		return types.StringDefault("", r.Metadata())
+	}
+	return identifierProp.AsStringValue()
 }
diff --git a/internal/app/cfsec/adapter/aws/dynamodb/cluster.go b/internal/app/cfsec/adapter/aws/dynamodb/cluster.go
@@ -0,0 +1,35 @@
+package dynamodb
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/parser"
+	"github.com/aquasecurity/defsec/provider/aws/dynamodb"
+	"github.com/aquasecurity/defsec/types"
+)
+
+func getClusters(file parser.FileContext) (clusters []dynamodb.DAXCluster) {
+
+	clusterResources := file.GetResourceByType("AWS::DAX::Cluster")
+
+	for _, r := range clusterResources {
+		cluster := dynamodb.DAXCluster{
+			Metadata:             r.Metadata(),
+			ServerSideEncryption: dynamodb.ServerSideEncryption{
+				Enabled: isEnabled(r),
+			},
+			PointInTimeRecovery:  nil,
+		}
+
+		clusters = append(clusters, cluster)
+	}
+
+	return clusters
+}
+
+func isEnabled(r *parser.Resource) types.BoolValue {
+
+	sseEnabled := r.GetProperty("SSESpecification.SSEEnabled")
+	if sseEnabled.IsNil() || sseEnabled.IsNotBool() {
+		return types.BoolDefault(false, r.Metadata())
+	}
+	return sseEnabled.AsBoolValue()
+}
diff --git a/internal/app/cfsec/adapter/aws/dynamodb/dynamodb.go b/internal/app/cfsec/adapter/aws/dynamodb/dynamodb.go
@@ -0,0 +1,14 @@
+package dynamodb
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/parser"
+	"github.com/aquasecurity/defsec/provider/aws/dynamodb"
+)
+
+func Adapt(cfFile parser.FileContext) dynamodb.DynamoDB {
+
+	return dynamodb.DynamoDB{
+		getClusters(cfFile),
+	}
+}
+
diff --git a/internal/app/cfsec/adapter/aws/ebs/ebs.go b/internal/app/cfsec/adapter/aws/ebs/ebs.go
@@ -0,0 +1,14 @@
+package ebs
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/parser"
+	"github.com/aquasecurity/defsec/provider/aws/ebs"
+)
+
+func Adapt(cfFile parser.FileContext) ebs.EBS {
+	return ebs.EBS{
+		Volumes: getVolumes(cfFile),
+	}
+
+}
+
diff --git a/internal/app/cfsec/adapter/aws/ebs/volume.go b/internal/app/cfsec/adapter/aws/ebs/volume.go
@@ -0,0 +1,41 @@
+package ebs
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/parser"
+	"github.com/aquasecurity/defsec/provider/aws/ebs"
+	"github.com/aquasecurity/defsec/types"
+)
+
+func getVolumes(ctx parser.FileContext) (volumes []ebs.Volume) {
+
+	volumeResources := ctx.GetResourceByType("AWS::EC2::Volume")
+	for _, r := range volumeResources {
+
+		volume := ebs.Volume{
+			Metadata:   r.Metadata(),
+			Encryption: ebs.Encryption{
+				Enabled:  isEncryptionEnabled(r),
+				KMSKeyID: getKmsKeyId(r),
+			},
+		}
+
+		volumes = append(volumes, volume)
+	}
+	return volumes
+}
+
+func getKmsKeyId(r *parser.Resource) types.StringValue {
+	kmsIdProp := r.GetProperty("KmsKeyId")
+	if kmsIdProp.IsNil() || kmsIdProp.IsNotString() {
+		return types.StringDefault("", r.Metadata())
+	}
+	return kmsIdProp.AsStringValue()
+}
+
+func isEncryptionEnabled(r *parser.Resource) types.BoolValue {
+	encryptedProp := r.GetProperty("Encrypted")
+	if encryptedProp.IsNil() || encryptedProp.IsNotBool() {
+		return types.BoolDefault(false, r.Metadata())
+	}
+	return encryptedProp.AsBoolValue()
+}
diff --git a/internal/app/cfsec/parser/property.go b/internal/app/cfsec/parser/property.go
@@ -1,11 +1,12 @@
 package parser
 
 import (
+	"strings"
+
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/cftypes"
 	"github.com/aquasecurity/defsec/types"
 	"github.com/liamg/jfather"
 	"gopkg.in/yaml.v3"
-	"strings"
 )
 
 type Property struct {
@@ -136,27 +137,43 @@ func (p *Property) IsString() bool {
 	return p.Inner.Type == cftypes.String
 }
 
+func (p *Property) IsNotString() bool {
+	return !p.IsString()
+}
+
 func (p *Property) IsMap() bool {
 	if p.IsNil() {
 		return false
 	}
 	return p.Inner.Type == cftypes.Map
 }
 
+func (p *Property) IsNotMap() bool {
+	return !p.IsMap()
+}
+
 func (p *Property) IsList() bool {
 	if p.IsNil() {
 		return false
 	}
 	return p.Inner.Type == cftypes.List
 }
 
+func (p *Property) IsNotList() bool {
+	return !p.IsList()
+}
+
 func (p *Property) IsBool() bool {
 	if p.IsNil() {
 		return false
 	}
 	return p.Inner.Type == cftypes.Bool
 }
 
+func (p *Property) IsNotBool() bool {
+	return !p.IsBool()
+}
+
 func (p *Property) AsString() string {
 	return p.Inner.Value.(string)
 }

diff --git a/internal/app/cfsec/rules/aws/documentdb/documentdb.yaml b/internal/app/cfsec/rules/aws/documentdb/documentdb.yaml
diff --git a/internal/app/cfsec/rules/aws/documentdb/enable_log_export_rule.go b/internal/app/cfsec/rules/aws/documentdb/enable_log_export_rule.go
@@ -10,13 +10,22 @@ func init() {
 
 	scanner.RegisterCheckRule(rule.Rule{
 		BadExample: []string{`---
-Resources:
+ Resources:
   BadExample:
     Type: "AWS::DocDB::DBCluster"
     Properties:
-      BackupRetentionPeriod : 8
-      DBClusterIdentifier : "sample-cluster"
-      DBClusterParameterGroupName : "default.docdb3.6"
+      BackupRetentionPeriod: 8
+      DBClusterIdentifier: sample-cluster
+      DBClusterParameterGroupName: default.docdb3.6
+  BadInstanceExample:
+    Type: "AWS::DocDB::DBInstance"
+    Properties:
+      AutoMinorVersionUpgrade: true
+      AvailabilityZone: us-east-1c
+      DBClusterIdentifier: sample-cluster
+      DBInstanceClass: db.r5.large
+      DBInstanceIdentifier: sample-cluster-instance-0
+      PreferredMaintenanceWindow: 'sat:06:54-sat:07:24'
 `},
 		GoodExample: []string{`---
 Resources:
@@ -26,9 +35,19 @@ Resources:
       BackupRetentionPeriod : 8
       DBClusterIdentifier : "sample-cluster"
       DBClusterParameterGroupName : "default.docdb3.6"
+      KmsKeyId : "your-kms-key-id"
       EnableCloudwatchLogsExports:
-	  - audit
+      - audit
       - profiler
+  InstanceInstanceExample:
+    Type: "AWS::DocDB::DBInstance"
+    Properties:
+      AutoMinorVersionUpgrade: true
+      AvailabilityZone: "us-east-1c"
+      DBClusterIdentifier: "sample-cluster"
+      DBInstanceClass: "db.r5.large"
+      DBInstanceIdentifier: "sample-cluster-instance-0"
+      PreferredMaintenanceWindow: "sat:06:54-sat:07:24"
 `},
 		Base: documentdb.CheckEnableLogExport,
 	})