IMDSv1 policy: update category, description

docs/policies/aws.md

@@ -89,7 +89,7 @@
 ### aws_apigatewayv2_api
 | Category | Resource | Severity | Description | Reference ID |
 | -------- | -------- | -------- | ----------- | ------------ |
-| AccessControl | ApiGatewayV2Api | Medium | Insecure Cross-Origin Resource Sharing Configuration allowing all domains | AWS.ApiGatewayV2Api.AccessControl.High.0630 |
+| AccessControl | ApiGatewayV2Api | Medium | Insecure Cross-Origin Resource Sharing Configuration allowing all domains | AWS.ApiGatewayV2Api.AccessControl.0630 |
 
 
 ### aws_efs_file_system
@@ -109,6 +109,7 @@
 ### aws_instance
 | Category | Resource | Severity | Description | Reference ID |
 | -------- | -------- | -------- | ----------- | ------------ |
+| Network Security | json | MEDIUM | EC2 instances should disable IMDS or require IMDSv2 | AC-AWS-NS-IN-M-1172 |
 | Network Security | Instance | MEDIUM | Instance should be configured in vpc. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. | AWS.Instance.NetworkSecurity.Medium.0506 |
 
 
@@ -158,7 +159,7 @@
 ### aws_apigatewayv2_stage
 | Category | Resource | Severity | Description | Reference ID |
 | -------- | -------- | -------- | ----------- | ------------ |
-| Logging | ApiGatewayV2Stage | Low | AWS API Gateway V2 Stage is missing access logs | AWS.ApiGatewayV2Stage.Logging.Low.0630 |
+| Logging | ApiGatewayV2Stage | Low | AWS API Gateway V2 Stage is missing access logs | AWS.ApiGatewayV2Stage.Logging.0630 |
 
 
 ### aws_ecr_repository
@@ -353,9 +354,9 @@
 ### aws_lambda_function
 | Category | Resource | Severity | Description | Reference ID |
 | -------- | -------- | -------- | ----------- | ------------ |
-| Logging | LambdaFunction | Low | Lambda function doesn't not include a VPC configuration. | AWS.LambdaFunction.Logging.Low.0472 |
-| Logging | LambdaFunction | LOW | Lambda tracing is not enabled. | AWS.LambdaFunction.Logging.Low.0470 |
-| Encryption and Key Management | LambdaFunction | High | Lambda does not uses KMS CMK key to protect environment variables. | AWS.LambdaFunction.EncryptionandKeyManagement.High.0471 |
+| Logging | LambdaFunction | Low | Lambda function doesn't not include a VPC configuration. | AWS.LambdaFunction.Logging.0472 |
+| Logging | LambdaFunction | LOW | Lambda tracing is not enabled. | AWS.LambdaFunction.Logging.0470 |
+| Encryption and Key Management | LambdaFunction | High | Lambda does not use KMS CMK key to protect environment variables. | AWS.LambdaFunction.EncryptionandKeyManagement.0471 |
 
 
 ### aws_kms_key

docs/policies/github.md

@@ -5,8 +5,15 @@
 | Identity & Access Management | github | MEDIUM | Repository is Not Private. | accurics.github.IAM.1 |
 
 
+### github_repository_webhook
+| Category | Resource | Severity | Description | Reference ID |
+| -------- | -------- | -------- | ----------- | ------------ |
+| Encryption and Key Management | github | MEDIUM | Insecure SSL is used for repository webhook. | accurics.github.EKM.2 |
+
+
 ### github_organization_webhook
 | Category | Resource | Severity | Description | Reference ID |
 | -------- | -------- | -------- | ----------- | ------------ |
 | Encryption and Key Management | github | MEDIUM | Insecure SSL is used for organization webhook. | accurics.github.EKM.1 |
-| Encryption and Key Management | github | MEDIUM | Insecure SSL is used for repository webhook. | accurics.github.EKM.2 |
+
+

pkg/iac-providers/terraform/v12/load-dir_test.go

@@ -17,7 +17,6 @@
 package tfv12
 
 import (
-	"bytes"
 	"encoding/json"
 	"io/ioutil"
 	"reflect"
@@ -26,6 +25,47 @@ import (
 	"github.com/accurics/terrascan/pkg/iac-providers/output"
 )
 
+// prepareAllResourceConfigs prepares a
+// map[string]map[string]output.ResourceConfig
+// from the output.AllResourceConfigs, which is a
+// map[string][]output.ResourceConfig
+//
+// The goal is to put the [] into a map[string] so that we don't rely on the
+// implicit order of the [], but can use the keys for ordering.
+// The key is computed from the source and id, which should be globally unique.
+func prepareAllResourceConfigs(v output.AllResourceConfigs) ([]byte, error) {
+
+	newval := make(map[string]map[string]output.ResourceConfig, len(v))
+	for key, val := range v {
+		newval[key] = make(map[string]output.ResourceConfig, len(val))
+		for _, item := range val {
+			newkey := item.Source + "##" + item.ID
+			newval[key][newkey] = item
+		}
+	}
+
+	contents, err := json.Marshal(newval)
+	if err != nil {
+		return []byte{}, err
+	}
+
+	return contents, nil
+}
+
+// identicalAllResourceConfigs determines if a and b have identical contents
+func identicalAllResourceConfigs(a, b output.AllResourceConfigs) (bool, error) {
+	value1, err := prepareAllResourceConfigs(a)
+	if err != nil {
+		return false, err
+	}
+	value2, err := prepareAllResourceConfigs(b)
+	if err != nil {
+		return false, err
+	}
+
+	return reflect.DeepEqual(value1, value2), nil
+}
+
 func TestLoadIacDir(t *testing.T) {
 
 	table := []struct {
@@ -107,12 +147,23 @@ func TestLoadIacDir(t *testing.T) {
 				t.Errorf("unexpected error; gotErr: '%v', wantErr: '%v'", gotErr, tt.wantErr)
 			}
 
-			gotBytes, _ := json.MarshalIndent(got, "", "  ")
-			gotBytes = append(gotBytes, []byte{'\n'}...)
-			wantBytes, _ := ioutil.ReadFile(tt.tfJSONFile)
+			var want output.AllResourceConfigs
 
-			if !bytes.Equal(bytes.TrimSpace(gotBytes), bytes.TrimSpace(wantBytes)) {
-				t.Errorf("got '%v', want: '%v'", string(gotBytes), string(wantBytes))
+			// Read the expected value and unmarshal into want
+			contents, _ := ioutil.ReadFile(tt.tfJSONFile)
+			err := json.Unmarshal(contents, &want)
+			if err != nil {
+				t.Errorf("unexpected error unmarshalling want: %v", err)
+			}
+
+			match, err := identicalAllResourceConfigs(got, want)
+			if err != nil {
+				t.Errorf("unexpected error checking result: %v", err)
+			}
+			if !match {
+				g, _ := json.MarshalIndent(got, "", "  ")
+				w, _ := json.MarshalIndent(want, "", "  ")
+				t.Errorf("got '%v', want: '%v'", string(g), string(w))
 			}
 		})
 	}

pkg/policies/opa/rego/aws/aws_instance/AC-AWS-NS-IN-M-1172.json

@@ -3,8 +3,8 @@
     "file": "ec2UsingIMDSv1.rego",
     "template_args": null,
     "severity": "MEDIUM",
-    "description": "Ensure there are no ECS instances using IMDSv1",
+    "description": "EC2 instances should disable IMDS or require IMDSv2",
     "reference_id": "AC-AWS-NS-IN-M-1172",
-    "category": "Unknown",
+    "category": "Network Security",
     "version": 1
-}
+}