From d6872fa4cbc7703dfcbaf6d9e8b99af07e49fc0b Mon Sep 17 00:00:00 2001 From: Jon Jarboe Date: Wed, 2 Dec 2020 13:34:31 -0800 Subject: [PATCH 1/6] IMDSv1 policy: update category, description --- .../opa/rego/aws/aws_instance/AC-AWS-NS-IN-M-1172.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/policies/opa/rego/aws/aws_instance/AC-AWS-NS-IN-M-1172.json b/pkg/policies/opa/rego/aws/aws_instance/AC-AWS-NS-IN-M-1172.json index bb927f5fa..cafa390a5 100644 --- a/pkg/policies/opa/rego/aws/aws_instance/AC-AWS-NS-IN-M-1172.json +++ b/pkg/policies/opa/rego/aws/aws_instance/AC-AWS-NS-IN-M-1172.json @@ -3,8 +3,8 @@ "file": "ec2UsingIMDSv1.rego", "template_args": null, "severity": "MEDIUM", - "description": "Ensure there are no ECS instances using IMDSv1", + "description": "EC2 instances should disable IMDS or require IMDSv2", "reference_id": "AC-AWS-NS-IN-M-1172", - "category": "Unknown", + "category": "Network Security", "version": 1 -} \ No newline at end of file +} From 932a1a616ffb4e789d31e0e2317fd42b23e7b637 Mon Sep 17 00:00:00 2001 From: Jon Jarboe Date: Wed, 2 Dec 2020 17:33:27 -0800 Subject: [PATCH 2/6] hopefully remove test failures due to non-deterministic comparisons --- .../terraform/v12/load-dir_test.go | 63 +++++++++++++++++-- 1 file changed, 57 insertions(+), 6 deletions(-) diff --git a/pkg/iac-providers/terraform/v12/load-dir_test.go b/pkg/iac-providers/terraform/v12/load-dir_test.go index 2a7d6682b..b28677a64 100644 --- a/pkg/iac-providers/terraform/v12/load-dir_test.go +++ b/pkg/iac-providers/terraform/v12/load-dir_test.go @@ -17,7 +17,6 @@ package tfv12 import ( - "bytes" "encoding/json" "io/ioutil" "reflect" @@ -26,6 +25,47 @@ import ( "github.com/accurics/terrascan/pkg/iac-providers/output" ) +// prepareAllResourceConfigs prepares a +// map[string]map[string]output.ResourceConfig +// from the output.AllResourceConfigs, which is a +// map[string][]output.ResourceConfig +// +// The goal is to put the [] into a map[string] so that we don't rely on the +// implicit order of the [], but can use the keys for ordering. +// The key is computed from the source and id, which should be globally unique. +func prepareAllResourceConfigs(v output.AllResourceConfigs) ([]byte, error) { + + newval := make(map[string]map[string]output.ResourceConfig, len(v)) + for key, val := range v { + newval[key] = make(map[string]output.ResourceConfig, len(val)) + for _, item := range val { + newkey := item.Source + "##" + item.ID + newval[key][newkey] = item + } + } + + contents, err := json.Marshal(newval) + if err != nil { + return []byte{}, err + } + + return contents, nil +} + +// identicalAllResourceConfigs determines if a and b have identical contents +func identicalAllResourceConfigs(a, b output.AllResourceConfigs) (bool, error) { + value1, err := prepareAllResourceConfigs(a) + if err != nil { + return false, err + } + value2, err := prepareAllResourceConfigs(b) + if err != nil { + return false, err + } + + return reflect.DeepEqual(value1, value2), nil +} + func TestLoadIacDir(t *testing.T) { table := []struct { @@ -107,12 +147,23 @@ func TestLoadIacDir(t *testing.T) { t.Errorf("unexpected error; gotErr: '%v', wantErr: '%v'", gotErr, tt.wantErr) } - gotBytes, _ := json.MarshalIndent(got, "", " ") - gotBytes = append(gotBytes, []byte{'\n'}...) - wantBytes, _ := ioutil.ReadFile(tt.tfJSONFile) + var want output.AllResourceConfigs - if !bytes.Equal(bytes.TrimSpace(gotBytes), bytes.TrimSpace(wantBytes)) { - t.Errorf("got '%v', want: '%v'", string(gotBytes), string(wantBytes)) + // Read the expected value and unmarshal into want + contents, _ := ioutil.ReadFile(tt.tfJSONFile) + err := json.Unmarshal(contents, &want) + if err != nil { + t.Errorf("unexpected error unmarshalling want: %v", err) + } + + match, err := identicalAllResourceConfigs(got, want) + if err != nil { + t.Errorf("unexpected error checking result: %v", err) + } + if !match { + g, _ := json.MarshalIndent(got, "", " ") + w, _ := json.MarshalIndent(want, "", " ") + t.Errorf("got '%v', want: '%v'", string(g), string(w)) } }) } From 321cf34bb738eec68f0e9967b36f5529c8eb40e8 Mon Sep 17 00:00:00 2001 From: Cesar Rodriguez Date: Wed, 2 Dec 2020 21:09:59 -0500 Subject: [PATCH 3/6] updates policy docs --- docs/policies/aws.md | 11 ++++++----- docs/policies/github.md | 9 ++++++++- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/docs/policies/aws.md b/docs/policies/aws.md index 7f2a65f57..2cecfe119 100644 --- a/docs/policies/aws.md +++ b/docs/policies/aws.md @@ -89,7 +89,7 @@ ### aws_apigatewayv2_api | Category | Resource | Severity | Description | Reference ID | | -------- | -------- | -------- | ----------- | ------------ | -| AccessControl | ApiGatewayV2Api | Medium | Insecure Cross-Origin Resource Sharing Configuration allowing all domains | AWS.ApiGatewayV2Api.AccessControl.High.0630 | +| AccessControl | ApiGatewayV2Api | Medium | Insecure Cross-Origin Resource Sharing Configuration allowing all domains | AWS.ApiGatewayV2Api.AccessControl.0630 | ### aws_efs_file_system @@ -109,6 +109,7 @@ ### aws_instance | Category | Resource | Severity | Description | Reference ID | | -------- | -------- | -------- | ----------- | ------------ | +| Network Security | json | MEDIUM | EC2 instances should disable IMDS or require IMDSv2 | AC-AWS-NS-IN-M-1172 | | Network Security | Instance | MEDIUM | Instance should be configured in vpc. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. | AWS.Instance.NetworkSecurity.Medium.0506 | @@ -158,7 +159,7 @@ ### aws_apigatewayv2_stage | Category | Resource | Severity | Description | Reference ID | | -------- | -------- | -------- | ----------- | ------------ | -| Logging | ApiGatewayV2Stage | Low | AWS API Gateway V2 Stage is missing access logs | AWS.ApiGatewayV2Stage.Logging.Low.0630 | +| Logging | ApiGatewayV2Stage | Low | AWS API Gateway V2 Stage is missing access logs | AWS.ApiGatewayV2Stage.Logging.0630 | ### aws_ecr_repository @@ -353,9 +354,9 @@ ### aws_lambda_function | Category | Resource | Severity | Description | Reference ID | | -------- | -------- | -------- | ----------- | ------------ | -| Logging | LambdaFunction | Low | Lambda function doesn't not include a VPC configuration. | AWS.LambdaFunction.Logging.Low.0472 | -| Logging | LambdaFunction | LOW | Lambda tracing is not enabled. | AWS.LambdaFunction.Logging.Low.0470 | -| Encryption and Key Management | LambdaFunction | High | Lambda does not uses KMS CMK key to protect environment variables. | AWS.LambdaFunction.EncryptionandKeyManagement.High.0471 | +| Logging | LambdaFunction | Low | Lambda function doesn't not include a VPC configuration. | AWS.LambdaFunction.Logging.0472 | +| Logging | LambdaFunction | LOW | Lambda tracing is not enabled. | AWS.LambdaFunction.Logging.0470 | +| Encryption and Key Management | LambdaFunction | High | Lambda does not use KMS CMK key to protect environment variables. | AWS.LambdaFunction.EncryptionandKeyManagement.0471 | ### aws_kms_key diff --git a/docs/policies/github.md b/docs/policies/github.md index 851299fbd..8b946418a 100644 --- a/docs/policies/github.md +++ b/docs/policies/github.md @@ -5,8 +5,15 @@ | Identity & Access Management | github | MEDIUM | Repository is Not Private. | accurics.github.IAM.1 | +### github_repository_webhook +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Encryption and Key Management | github | MEDIUM | Insecure SSL is used for repository webhook. | accurics.github.EKM.2 | + + ### github_organization_webhook | Category | Resource | Severity | Description | Reference ID | | -------- | -------- | -------- | ----------- | ------------ | | Encryption and Key Management | github | MEDIUM | Insecure SSL is used for organization webhook. | accurics.github.EKM.1 | -| Encryption and Key Management | github | MEDIUM | Insecure SSL is used for repository webhook. | accurics.github.EKM.2 | + + From b2a7d06a01a6fde174666d9ddd097282726279d1 Mon Sep 17 00:00:00 2001 From: Jon Jarboe Date: Wed, 2 Dec 2020 17:33:27 -0800 Subject: [PATCH 4/6] hopefully remove test failures due to non-deterministic comparisons --- .../terraform/v12/load-dir_test.go | 63 +++++++++++++++++-- 1 file changed, 57 insertions(+), 6 deletions(-) diff --git a/pkg/iac-providers/terraform/v12/load-dir_test.go b/pkg/iac-providers/terraform/v12/load-dir_test.go index 2a7d6682b..b28677a64 100644 --- a/pkg/iac-providers/terraform/v12/load-dir_test.go +++ b/pkg/iac-providers/terraform/v12/load-dir_test.go @@ -17,7 +17,6 @@ package tfv12 import ( - "bytes" "encoding/json" "io/ioutil" "reflect" @@ -26,6 +25,47 @@ import ( "github.com/accurics/terrascan/pkg/iac-providers/output" ) +// prepareAllResourceConfigs prepares a +// map[string]map[string]output.ResourceConfig +// from the output.AllResourceConfigs, which is a +// map[string][]output.ResourceConfig +// +// The goal is to put the [] into a map[string] so that we don't rely on the +// implicit order of the [], but can use the keys for ordering. +// The key is computed from the source and id, which should be globally unique. +func prepareAllResourceConfigs(v output.AllResourceConfigs) ([]byte, error) { + + newval := make(map[string]map[string]output.ResourceConfig, len(v)) + for key, val := range v { + newval[key] = make(map[string]output.ResourceConfig, len(val)) + for _, item := range val { + newkey := item.Source + "##" + item.ID + newval[key][newkey] = item + } + } + + contents, err := json.Marshal(newval) + if err != nil { + return []byte{}, err + } + + return contents, nil +} + +// identicalAllResourceConfigs determines if a and b have identical contents +func identicalAllResourceConfigs(a, b output.AllResourceConfigs) (bool, error) { + value1, err := prepareAllResourceConfigs(a) + if err != nil { + return false, err + } + value2, err := prepareAllResourceConfigs(b) + if err != nil { + return false, err + } + + return reflect.DeepEqual(value1, value2), nil +} + func TestLoadIacDir(t *testing.T) { table := []struct { @@ -107,12 +147,23 @@ func TestLoadIacDir(t *testing.T) { t.Errorf("unexpected error; gotErr: '%v', wantErr: '%v'", gotErr, tt.wantErr) } - gotBytes, _ := json.MarshalIndent(got, "", " ") - gotBytes = append(gotBytes, []byte{'\n'}...) - wantBytes, _ := ioutil.ReadFile(tt.tfJSONFile) + var want output.AllResourceConfigs - if !bytes.Equal(bytes.TrimSpace(gotBytes), bytes.TrimSpace(wantBytes)) { - t.Errorf("got '%v', want: '%v'", string(gotBytes), string(wantBytes)) + // Read the expected value and unmarshal into want + contents, _ := ioutil.ReadFile(tt.tfJSONFile) + err := json.Unmarshal(contents, &want) + if err != nil { + t.Errorf("unexpected error unmarshalling want: %v", err) + } + + match, err := identicalAllResourceConfigs(got, want) + if err != nil { + t.Errorf("unexpected error checking result: %v", err) + } + if !match { + g, _ := json.MarshalIndent(got, "", " ") + w, _ := json.MarshalIndent(want, "", " ") + t.Errorf("got '%v', want: '%v'", string(g), string(w)) } }) } From df73bc49a0c01e3b9f0a56891dc1d2c1d19ab6c4 Mon Sep 17 00:00:00 2001 From: Jon Jarboe Date: Wed, 2 Dec 2020 13:34:31 -0800 Subject: [PATCH 5/6] IMDSv1 policy: update category, description --- .../opa/rego/aws/aws_instance/AC-AWS-NS-IN-M-1172.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/policies/opa/rego/aws/aws_instance/AC-AWS-NS-IN-M-1172.json b/pkg/policies/opa/rego/aws/aws_instance/AC-AWS-NS-IN-M-1172.json index bb927f5fa..cafa390a5 100644 --- a/pkg/policies/opa/rego/aws/aws_instance/AC-AWS-NS-IN-M-1172.json +++ b/pkg/policies/opa/rego/aws/aws_instance/AC-AWS-NS-IN-M-1172.json @@ -3,8 +3,8 @@ "file": "ec2UsingIMDSv1.rego", "template_args": null, "severity": "MEDIUM", - "description": "Ensure there are no ECS instances using IMDSv1", + "description": "EC2 instances should disable IMDS or require IMDSv2", "reference_id": "AC-AWS-NS-IN-M-1172", - "category": "Unknown", + "category": "Network Security", "version": 1 -} \ No newline at end of file +} From 303d7166ee078114484b4edce23cb9a875f66b89 Mon Sep 17 00:00:00 2001 From: Cesar Rodriguez Date: Wed, 2 Dec 2020 21:09:59 -0500 Subject: [PATCH 6/6] updates policy docs --- docs/policies/aws.md | 11 ++++++----- docs/policies/github.md | 9 ++++++++- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/docs/policies/aws.md b/docs/policies/aws.md index 7f2a65f57..2cecfe119 100644 --- a/docs/policies/aws.md +++ b/docs/policies/aws.md @@ -89,7 +89,7 @@ ### aws_apigatewayv2_api | Category | Resource | Severity | Description | Reference ID | | -------- | -------- | -------- | ----------- | ------------ | -| AccessControl | ApiGatewayV2Api | Medium | Insecure Cross-Origin Resource Sharing Configuration allowing all domains | AWS.ApiGatewayV2Api.AccessControl.High.0630 | +| AccessControl | ApiGatewayV2Api | Medium | Insecure Cross-Origin Resource Sharing Configuration allowing all domains | AWS.ApiGatewayV2Api.AccessControl.0630 | ### aws_efs_file_system @@ -109,6 +109,7 @@ ### aws_instance | Category | Resource | Severity | Description | Reference ID | | -------- | -------- | -------- | ----------- | ------------ | +| Network Security | json | MEDIUM | EC2 instances should disable IMDS or require IMDSv2 | AC-AWS-NS-IN-M-1172 | | Network Security | Instance | MEDIUM | Instance should be configured in vpc. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. | AWS.Instance.NetworkSecurity.Medium.0506 | @@ -158,7 +159,7 @@ ### aws_apigatewayv2_stage | Category | Resource | Severity | Description | Reference ID | | -------- | -------- | -------- | ----------- | ------------ | -| Logging | ApiGatewayV2Stage | Low | AWS API Gateway V2 Stage is missing access logs | AWS.ApiGatewayV2Stage.Logging.Low.0630 | +| Logging | ApiGatewayV2Stage | Low | AWS API Gateway V2 Stage is missing access logs | AWS.ApiGatewayV2Stage.Logging.0630 | ### aws_ecr_repository @@ -353,9 +354,9 @@ ### aws_lambda_function | Category | Resource | Severity | Description | Reference ID | | -------- | -------- | -------- | ----------- | ------------ | -| Logging | LambdaFunction | Low | Lambda function doesn't not include a VPC configuration. | AWS.LambdaFunction.Logging.Low.0472 | -| Logging | LambdaFunction | LOW | Lambda tracing is not enabled. | AWS.LambdaFunction.Logging.Low.0470 | -| Encryption and Key Management | LambdaFunction | High | Lambda does not uses KMS CMK key to protect environment variables. | AWS.LambdaFunction.EncryptionandKeyManagement.High.0471 | +| Logging | LambdaFunction | Low | Lambda function doesn't not include a VPC configuration. | AWS.LambdaFunction.Logging.0472 | +| Logging | LambdaFunction | LOW | Lambda tracing is not enabled. | AWS.LambdaFunction.Logging.0470 | +| Encryption and Key Management | LambdaFunction | High | Lambda does not use KMS CMK key to protect environment variables. | AWS.LambdaFunction.EncryptionandKeyManagement.0471 | ### aws_kms_key diff --git a/docs/policies/github.md b/docs/policies/github.md index 851299fbd..8b946418a 100644 --- a/docs/policies/github.md +++ b/docs/policies/github.md @@ -5,8 +5,15 @@ | Identity & Access Management | github | MEDIUM | Repository is Not Private. | accurics.github.IAM.1 | +### github_repository_webhook +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Encryption and Key Management | github | MEDIUM | Insecure SSL is used for repository webhook. | accurics.github.EKM.2 | + + ### github_organization_webhook | Category | Resource | Severity | Description | Reference ID | | -------- | -------- | -------- | ----------- | ------------ | | Encryption and Key Management | github | MEDIUM | Insecure SSL is used for organization webhook. | accurics.github.EKM.1 | -| Encryption and Key Management | github | MEDIUM | Insecure SSL is used for repository webhook. | accurics.github.EKM.2 | + +