diff --git a/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/metadata.json b/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/metadata.json index 590674b2c4c..0daa4004347 100644 --- a/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/metadata.json +++ b/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/metadata.json @@ -1,7 +1,7 @@ { "id": "5ba316a9-c466-4ec1-8d5b-bc6107dc9a92", "queryName": "CloudTrail SNS Topic Name Undefined", - "severity": "INFO", + "severity": "LOW", "category": "Observability", "descriptionText": "Check if SNS topic name is set for CloudTrail", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html", diff --git a/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json index 37e10fcc489..85466e93e7a 100644 --- a/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json @@ -1,12 +1,12 @@ [ { "queryName": "CloudTrail SNS Topic Name Undefined", - "severity": "INFO", + "severity": "LOW", "line": 2 }, { "queryName": "CloudTrail SNS Topic Name Undefined", - "severity": "INFO", + "severity": "LOW", "line": 15 } ] \ No newline at end of file diff --git a/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/metadata.json b/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/metadata.json deleted file mode 100644 index 26af58a8af0..00000000000 --- a/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/metadata.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "id": "7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892", - "queryName": "ECS Task Definition Container With Plaintext Password", - "severity": "HIGH", - "category": "Encryption", - "descriptionText": "It's not recommended to use plaintext environment variables for sensitive information, such as credential data.", - "descriptionUrl": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_environment", - "platform": "Ansible", - "descriptionID": "a6c6fa9c", - "cloudProvider": "aws", - "cwe": "" -} \ No newline at end of file diff --git a/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/query.rego b/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/query.rego deleted file mode 100644 index 1b1486e6d1c..00000000000 --- a/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/query.rego +++ /dev/null @@ -1,29 +0,0 @@ -package Cx - -import data.generic.ansible as ansLib - -CxPolicy[result] { - task := ansLib.tasks[id][t] - modules := {"community.aws.ecs_taskdefinition", "ecs_taskdefinition"} - ecs_taskdefinition := task[modules[m]] - ansLib.checkState(ecs_taskdefinition) - - container := ecs_taskdefinition.containers[j] - password := ["password", "pw", "pass"] - checkPassword(container.env, password) - - result := { - "documentId": id, - "resourceType": modules[m], - "resourceName": task.name, - "searchKey": sprintf("name={{%s}}.{{%s}}.containers.name={{%s}}.env", [task.name, modules[m], container.name]), - "issueType": "IncorrectValue", - "keyExpectedValue": "'ecs_taskdefinition.containers.env' shouldn't have 'password' value", - "keyActualValue": "'ecs_taskdefinition.containers.env' has 'password' value", - } -} - -checkPassword(env, password) { - key := [x | env[idx][j]; upper(j) == upper(password[_]); x = j] - count(key) > 0 -} diff --git a/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/test/negative.yaml b/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/test/negative.yaml deleted file mode 100644 index 49eb827e02f..00000000000 --- a/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/test/negative.yaml +++ /dev/null @@ -1,15 +0,0 @@ -- name: Create task definition - community.aws.ecs_taskdefinition: - family: nginx - containers: - - name: nginx - essential: true - image: nginx - portMappings: - - containerPort: 8080 - hostPort: 8080 - launch_type: FARGATE - cpu: 512 - memory: 1024 - state: present - network_mode: awsvpc diff --git a/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/test/positive.yaml b/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/test/positive.yaml deleted file mode 100644 index 3a83e88d609..00000000000 --- a/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/test/positive.yaml +++ /dev/null @@ -1,17 +0,0 @@ -- name: Create task definition - community.aws.ecs_taskdefinition: - family: nginx - containers: - - name: nginx - essential: true - image: "nginx" - portMappings: - - containerPort: 8080 - hostPort: 8080 - env: - - password: shhh - launch_type: FARGATE - cpu: 512 - memory: 1024 - state: present - network_mode: awsvpc diff --git a/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/test/positive_expected_result.json b/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/test/positive_expected_result.json deleted file mode 100644 index 84dd33dc43e..00000000000 --- a/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password/test/positive_expected_result.json +++ /dev/null @@ -1,7 +0,0 @@ -[ - { - "queryName": "ECS Task Definition Container With Plaintext Password", - "severity": "HIGH", - "line": 11 - } -] diff --git a/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/metadata.json b/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/metadata.json index d15993fa893..6e13fb806f4 100644 --- a/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/metadata.json +++ b/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/metadata.json @@ -1,7 +1,7 @@ { "id": "babdedcf-d859-43da-9a7b-6d72e661a8fd", "queryName": "IAM Role Allows All Principals To Assume", - "severity": "HIGH", + "severity": "MEDIUM", "category": "Access Control", "descriptionText": "IAM role allows all services or principals to assume it", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html", diff --git a/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json index 2912bd7c87f..770a1a9129e 100644 --- a/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json @@ -1,13 +1,13 @@ [ { "queryName": "IAM Role Allows All Principals To Assume", - "severity": "HIGH", + "severity": "MEDIUM", "line": 4, "fileName": "positive.yaml" }, { "queryName": "IAM Role Allows All Principals To Assume", - "severity": "HIGH", + "severity": "MEDIUM", "line": 17, "fileName": "positive.yaml" } diff --git a/assets/queries/ansible/aws/user_data_shell_script_is_encoded/metadata.json b/assets/queries/ansible/aws/user_data_shell_script_is_encoded/metadata.json deleted file mode 100644 index e58434bbdfe..00000000000 --- a/assets/queries/ansible/aws/user_data_shell_script_is_encoded/metadata.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "id": "1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89", - "queryName": "User Data Shell Script Is Encoded", - "severity": "LOW", - "category": "Encryption", - "descriptionText": "User Data Shell Script must be encoded", - "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_lc_module.html", - "platform": "Ansible", - "descriptionID": "062f28ff", - "cloudProvider": "aws", - "cwe": "", - "oldSeverity": "HIGH" -} \ No newline at end of file diff --git a/assets/queries/ansible/aws/user_data_shell_script_is_encoded/query.rego b/assets/queries/ansible/aws/user_data_shell_script_is_encoded/query.rego deleted file mode 100644 index 776ddc0afcb..00000000000 --- a/assets/queries/ansible/aws/user_data_shell_script_is_encoded/query.rego +++ /dev/null @@ -1,33 +0,0 @@ -package Cx - -import data.generic.ansible as ansLib - -CxPolicy[result] { - task := ansLib.tasks[id][t] - modules := {"community.aws.ec2_lc", "ec2_lc"} - ec2_lc := task[modules[m]] - ansLib.checkState(ec2_lc) - - decode_result := check_user_data(ec2_lc.user_data) - startswith(decode_result, "#!/") - - result := { - "documentId": id, - "resourceType": modules[m], - "resourceName": task.name, - "searchKey": sprintf("name={{%s}}.{{%s}}.user_data", [task.name, modules[m]]), - "issueType": "IncorrectValue", - "keyExpectedValue": "ec2_lc.user_data should not be shell script", - "keyActualValue": "ec2_lc.user_data is shell script", - } -} - -check_user_data(user_data) = result { - user_data == null - result := base64.decode("dGVzdA==") #test -} - -check_user_data(user_data) = result { - user_data != null - result := base64.decode(user_data) -} diff --git a/assets/queries/ansible/aws/user_data_shell_script_is_encoded/test/negative.yaml b/assets/queries/ansible/aws/user_data_shell_script_is_encoded/test/negative.yaml deleted file mode 100644 index a27346f7790..00000000000 --- a/assets/queries/ansible/aws/user_data_shell_script_is_encoded/test/negative.yaml +++ /dev/null @@ -1,34 +0,0 @@ -- name: note that encrypted volumes are only supported in >= Ansible 2.4 - community.aws.ec2_lc: - name: special - image_id: ami-XXX - key_name: default - security_groups: [group, group2] - instance_type: t1.micro - user_data: ZWNobyAiSGVsbG8gd29ybGQi - volumes: - - device_name: /dev/sda1 - volume_size: 100 - volume_type: io1 - iops: 3000 - delete_on_termination: true - encrypted: true - - device_name: /dev/sdb - ephemeral: ephemeral0 -- name: note that encrypted volumes are only supported in >= Ansible 2.4.2 - community.aws.ec2_lc: - name: special2 - image_id: ami-XXX - key_name: default - security_groups: [group, group2] - instance_type: t1.micro - user_data: - volumes: - - device_name: /dev/sda1 - volume_size: 100 - volume_type: io1 - iops: 3000 - delete_on_termination: true - encrypted: true - - device_name: /dev/sdb - ephemeral: ephemeral0 diff --git a/assets/queries/ansible/aws/user_data_shell_script_is_encoded/test/positive.yaml b/assets/queries/ansible/aws/user_data_shell_script_is_encoded/test/positive.yaml deleted file mode 100644 index 0b140731b19..00000000000 --- a/assets/queries/ansible/aws/user_data_shell_script_is_encoded/test/positive.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: note that encrypted volumes are only supported in >= Ansible 2.4 - community.aws.ec2_lc: - name: special - image_id: ami-XXX - key_name: default - security_groups: ['group', 'group2'] - instance_type: t1.micro - user_data: IyEvYmluL3NoCmVjaG8gIkhlbGxvIHdvcmxkIg== - volumes: - - device_name: /dev/sda1 - volume_size: 100 - volume_type: io1 - iops: 3000 - delete_on_termination: true - encrypted: true - - device_name: /dev/sdb - ephemeral: ephemeral0 diff --git a/assets/queries/ansible/aws/user_data_shell_script_is_encoded/test/positive_expected_result.json b/assets/queries/ansible/aws/user_data_shell_script_is_encoded/test/positive_expected_result.json deleted file mode 100644 index 6d1794972a0..00000000000 --- a/assets/queries/ansible/aws/user_data_shell_script_is_encoded/test/positive_expected_result.json +++ /dev/null @@ -1,7 +0,0 @@ -[ - { - "queryName": "User Data Shell Script Is Encoded", - "severity": "LOW", - "line": 9 - } -] \ No newline at end of file diff --git a/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/metadata.json b/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/metadata.json index b6702c1a7da..59595a8ee2b 100644 --- a/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/metadata.json +++ b/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/metadata.json @@ -1,7 +1,7 @@ { "id": "7814ddda-e758-4a56-8be3-289a81ded929", "queryName": "Cloud Storage Bucket Versioning Disabled", - "severity": "LOW", + "severity": "MEDIUM", "category": "Observability", "descriptionText": "Cloud Storage Bucket should have versioning enabled", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_storage_bucket_module.html#parameter-versioning", diff --git a/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json index 8cefe4e1d11..e2023f7479b 100644 --- a/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json @@ -1,12 +1,12 @@ [ { "queryName": "Cloud Storage Bucket Versioning Disabled", - "severity": "LOW", + "severity": "MEDIUM", "line": 3 }, { "queryName": "Cloud Storage Bucket Versioning Disabled", - "severity": "LOW", + "severity": "MEDIUM", "line": 17 } ] \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/metadata.json b/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/metadata.json index 9e33f759da4..cd0b6df2001 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/metadata.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/metadata.json @@ -1,7 +1,7 @@ { "id": "3e09413f-471e-40f3-8626-990c79ae63f3", "queryName": "CloudTrail SNS Topic Name Undefined", - "severity": "INFO", + "severity": "LOW", "category": "Observability", "descriptionText": "Check if SNS topic name is set for CloudTrail", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-snstopicname", diff --git a/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json index 94cba9dfaed..c7914b58792 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json @@ -1,13 +1,13 @@ [ { "queryName": "CloudTrail SNS Topic Name Undefined", - "severity": "INFO", + "severity": "LOW", "line": 12, "fileName": "positive1.yaml" }, { "queryName": "CloudTrail SNS Topic Name Undefined", - "severity": "INFO", + "severity": "LOW", "line": 22, "fileName": "positive1.yaml" }, @@ -15,11 +15,11 @@ "line": 9, "fileName": "positive2.json", "queryName": "CloudTrail SNS Topic Name Undefined", - "severity": "INFO" + "severity": "LOW" }, { "queryName": "CloudTrail SNS Topic Name Undefined", - "severity": "INFO", + "severity": "LOW", "line": 23, "fileName": "positive2.json" } diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/metadata.json b/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/metadata.json deleted file mode 100644 index f16ce23301e..00000000000 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/metadata.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "id": "f9b10cdb-eaab-4e39-9793-e12b94a582ad", - "queryName": "ECS Task Definition Container With Plaintext Password", - "severity": "HIGH", - "category": "Encryption", - "descriptionText": "It's not recommended to use plaintext environment variables for sensitive information, such as credential data.", - "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-containerdefinitions.html#cfn-ecs-taskdefinition-containerdefinition-environment", - "platform": "CloudFormation", - "descriptionID": "a763eedb", - "cloudProvider": "aws", - "cwe": "" -} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/query.rego b/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/query.rego deleted file mode 100644 index 36bfd3bfeaf..00000000000 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/query.rego +++ /dev/null @@ -1,21 +0,0 @@ -package Cx - -import data.generic.cloudformation as cf_lib - -CxPolicy[result] { - resource := input.document[i].Resources[name] - resource.Type == "AWS::ECS::TaskDefinition" - contDef := resource.Properties.ContainerDefinitions[_] - env := contDef.Environment[_] - contains(env.Name,"password") - - result := { - "documentId": input.document[i].id, - "resourceType": resource.Type, - "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("Resources.%s.Properties.ContainerDefinitions.Environment.Name=password", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'Resources.%s.Properties.ContainerDefinitions.Environment' should not contain a plaintext password", [name]), - "keyActualValue": sprintf("'Resources.%s.Properties.ContainerDefinitions.Environment' contains a plaintext password", [name]), - } -} diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/test/negative.json b/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/test/negative.json deleted file mode 100644 index 484c21ed3ad..00000000000 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/test/negative.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "AWSTemplateFormatVersion": "2010-09-09", - "Description": "A sample template", - "Resources": { - "taskdefinition": { - "Type": "AWS::ECS::TaskDefinition", - "Properties": { - "Volumes": [ - { - "Host": { - "SourcePath": "/var/lib/docker/vfs/dir/" - }, - "Name": "my-vol" - } - ], - "ContainerDefinitions": [ - { - "EntryPoint": [ - "/usr/sbin/apache2", - "-D", - "FOREGROUND" - ], - "Memory": 512, - "PortMappings": [ - { - "ContainerPort": { - "Ref": "AppContainerPort" - }, - "HostPort": { - "Ref": "AppHostPort" - } - } - ], - "MountPoints": [ - { - "SourceVolume": "my-vol", - "ContainerPath": "/var/www/my-vol" - } - ], - "Image": "amazon/amazon-ecs-sample", - "Cpu": 256, - "HealthCheck": { - "Command": [ - "CMD-SHELL", - "curl -f http://localhost:8080/ || exit 1" - ], - "Interval": 30, - "Retries": 3, - "StartPeriod": 1, - "Timeout": 5 - }, - "Essential": true, - "Name": { - "Ref": "AppName" - } - } - ] - } - } - } -} diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/test/negative.yaml b/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/test/negative.yaml deleted file mode 100644 index 9c071829fbe..00000000000 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/test/negative.yaml +++ /dev/null @@ -1,37 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" -Description: A sample template -Resources: - taskdefinition2: - Type: AWS::ECS::TaskDefinition - Properties: - ContainerDefinitions: - - Name: - Ref: "AppName" - MountPoints: - - SourceVolume: "my-vol" - ContainerPath: "/var/www/my-vol" - Image: "amazon/amazon-ecs-sample" - Cpu: 256 - PortMappings: - - ContainerPort: - Ref: "AppContainerPort" - HostPort: - Ref: "AppHostPort" - EntryPoint: - - "/usr/sbin/apache2" - - "-D" - - "FOREGROUND" - HealthCheck: - Command: - - CMD-SHELL - - curl -f http://localhost:8080/ || exit 1 - Interval: 30 - Retries: 3 - StartPeriod: 1 - Timeout: 5 - Memory: 512 - Essential: true - Volumes: - - Host: - SourcePath: "/var/lib/docker/vfs/dir/" - Name: "my-vol" diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/test/positive.json b/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/test/positive.json deleted file mode 100644 index d65f656c53f..00000000000 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/test/positive.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "AWSTemplateFormatVersion": "2010-09-09", - "Description": "A sample template", - "Resources": { - "taskdefinition3": { - "Type": "AWS::ECS::TaskDefinition", - "Properties": { - "ContainerDefinitions": [ - { - "MountPoints": [ - { - "SourceVolume": "my-vol", - "ContainerPath": "/var/www/my-vol" - } - ], - "Image": "amazon/amazon-ecs-sample", - "Cpu": 256, - "PortMappings": [ - { - "HostPort": { - "Ref": "AppHostPort" - }, - "ContainerPort": { - "Ref": "AppContainerPort" - } - } - ], - "EntryPoint": [ - "/usr/sbin/apache2", - "-D", - "FOREGROUND" - ], - "Memory": 512, - "Essential": true, - "Name": { - "Ref": "AppName" - }, - "Environment": [ - { - "Name": "password", - "Value": "123123" - } - ] - } - ], - "Volumes": [ - { - "Host": { - "SourcePath": "/var/lib/docker/vfs/dir/" - }, - "Name": "my-vol" - } - ] - } - } - } -} diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/test/positive.yaml b/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/test/positive.yaml deleted file mode 100644 index 935891e39e7..00000000000 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/test/positive.yaml +++ /dev/null @@ -1,32 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" -Description: A sample template -Resources: - taskdefinition4: - Type: AWS::ECS::TaskDefinition - Properties: - ContainerDefinitions: - - Name: - Ref: "AppName" - MountPoints: - - SourceVolume: "my-vol" - ContainerPath: "/var/www/my-vol" - Image: "amazon/amazon-ecs-sample" - Cpu: 256 - PortMappings: - - ContainerPort: - Ref: "AppContainerPort" - HostPort: - Ref: "AppHostPort" - EntryPoint: - - "/usr/sbin/apache2" - - "-D" - - "FOREGROUND" - Memory: 512 - Essential: true - Environment: - - Name: "password" - Value: 123123123 - Volumes: - - Host: - SourcePath: "/var/lib/docker/vfs/dir/" - Name: "my-vol" diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/test/positive_expected_result.json deleted file mode 100644 index d2b25b837a8..00000000000 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password/test/positive_expected_result.json +++ /dev/null @@ -1,14 +0,0 @@ -[ - { - "queryName": "ECS Task Definition Container With Plaintext Password", - "severity": "HIGH", - "line": 27, - "fileName": "positive.yaml" - }, - { - "line": 40, - "queryName": "ECS Task Definition Container With Plaintext Password", - "severity": "HIGH", - "fileName": "positive.json" - } -] diff --git a/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/metadata.json b/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/metadata.json index e77ce60b007..b3439bc20e3 100644 --- a/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/metadata.json +++ b/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/metadata.json @@ -1,7 +1,7 @@ { "id": "f80e3aa7-7b34-4185-954e-440a6894dde6", "queryName": "IAM Role Allows All Principals To Assume", - "severity": "HIGH", + "severity": "MEDIUM", "category": "Access Control", "descriptionText": "IAM role allows all services or principals to assume it", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-assumerolepolicydocument", diff --git a/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json index 34ce38c062b..2781e221e62 100644 --- a/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json @@ -1,13 +1,13 @@ [ { "queryName": "IAM Role Allows All Principals To Assume", - "severity": "HIGH", + "severity": "MEDIUM", "line": 6, "fileName": "positive1.yaml" }, { "queryName": "IAM Role Allows All Principals To Assume", - "severity": "HIGH", + "severity": "MEDIUM", "line": 7, "fileName": "positive2.json" } diff --git a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/metadata.json b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/metadata.json deleted file mode 100644 index ece84d4ed07..00000000000 --- a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/metadata.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "id": "4fbfee74-8186-40d5-a24e-4baa76a855de", - "queryName": "SQS Queue Policy Allows NotAction", - "severity": "MEDIUM", - "category": "Access Control", - "descriptionText": "AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited", - "descriptionUrl": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html", - "platform": "CloudFormation", - "descriptionID": "6caa1d1d", - "cloudProvider": "aws", - "cwe": "" -} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/query.rego b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/query.rego deleted file mode 100644 index 73b85d6c981..00000000000 --- a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/query.rego +++ /dev/null @@ -1,27 +0,0 @@ -package Cx - -import data.generic.common as common_lib -import data.generic.cloudformation as cf_lib - -CxPolicy[result] { - resource := input.document[i].Resources[name] - resource.Type == "AWS::SQS::QueuePolicy" - - policy := resource.Properties.PolicyDocument - st := common_lib.get_statement(common_lib.get_policy(policy)) - statement := st[_] - - common_lib.is_allow_effect(statement) - common_lib.valid_key(statement, "NotAction") - - result := { - "documentId": input.document[i].id, - "resourceType": resource.Type, - "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("Resources.%s.Properties.PolicyDocument", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("Resources.%s.Properties.PolicyDocument.Statement.NotAction should be undefined while Resources.%s.Properties.PolicyDocument.Statement.Effect=Allow", [name, name]), - "keyActualValue": sprintf("Resources.%s.Properties.PolicyDocument.Statement.NotAction is set while Resources.%s.Properties.PolicyDocument.Statement.Effect=Allow", [name, name]), - "searchLine": common_lib.build_search_line(["Resource", name, "Properties", "PolicyDocument"], []), - } -} diff --git a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/test/negative1.yaml b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/test/negative1.yaml deleted file mode 100644 index 62d11ee7b56..00000000000 --- a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/test/negative1.yaml +++ /dev/null @@ -1,17 +0,0 @@ -Resources: - SampleSQSPolicy1: - Type: AWS::SQS::QueuePolicy - Properties: - Queues: - - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" - PolicyDocument: - Statement: - - - Action: - - "SQS:SendMessage" - - "SQS:ReceiveMessage" - Effect: "Allow" - Resource: "arn:aws:sqs:us-east-2:444455556666:queue2" - Principal: - AWS: - - "111122223333" \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/test/negative2.json b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/test/negative2.json deleted file mode 100644 index 8fefc3cd672..00000000000 --- a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/test/negative2.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "Resources": { - "SampleSQSPolicy1": { - "Type": "AWS::SQS::QueuePolicy", - "Properties": { - "Queues": [ - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" - ], - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "SQS:SendMessage", - "SQS:ReceiveMessage" - ], - "Effect": "Allow", - "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2", - "Principal": { - "AWS": [ - "111122223333" - ] - } - } - ] - } - } - } - } -} diff --git a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/test/positive1.yaml b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/test/positive1.yaml deleted file mode 100644 index 41b6a7f3b79..00000000000 --- a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/test/positive1.yaml +++ /dev/null @@ -1,17 +0,0 @@ -Resources: - SampleSQSPolicy2: - Type: AWS::SQS::QueuePolicy - Properties: - Queues: - - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" - PolicyDocument: - Statement: - - - NotAction: - - "SQS:SendMessage" - - "SQS:ReceiveMessage" - Effect: "Allow" - Resource: "arn:aws:sqs:us-east-2:444455556666:queue2" - Principal: - AWS: - - "111122223333" \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/test/positive2.json b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/test/positive2.json deleted file mode 100644 index b652ca697b2..00000000000 --- a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/test/positive2.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "Resources": { - "SampleSQSPolicy2": { - "Type": "AWS::SQS::QueuePolicy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "NotAction": [ - "SQS:SendMessage", - "SQS:ReceiveMessage" - ], - "Effect": "Allow", - "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2", - "Principal": { - "AWS": [ - "111122223333" - ] - } - } - ] - }, - "Queues": [ - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" - ] - } - } - } -} diff --git a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/test/positive_expected_result.json deleted file mode 100644 index e7b20405342..00000000000 --- a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action/test/positive_expected_result.json +++ /dev/null @@ -1,14 +0,0 @@ -[ - { - "queryName": "SQS Queue Policy Allows NotAction", - "severity": "MEDIUM", - "line": 7, - "fileName": "positive1.yaml" - }, - { - "queryName": "SQS Queue Policy Allows NotAction", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.json" - } -] diff --git a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/metadata.json b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/metadata.json deleted file mode 100644 index a09903eee16..00000000000 --- a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/metadata.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "id": "4a8fc9a2-2b2f-4b3f-aa8d-401425872034", - "queryName": "SQS Queue Policy Allows NotPrincipal", - "severity": "MEDIUM", - "category": "Access Control", - "descriptionText": "Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `\"Effect\": \"Allow\"`.", - "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-policy.html", - "platform": "CloudFormation", - "descriptionID": "78666d87", - "cloudProvider": "aws", - "cwe": "" -} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/query.rego b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/query.rego deleted file mode 100644 index 2f826b1f044..00000000000 --- a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/query.rego +++ /dev/null @@ -1,29 +0,0 @@ -package Cx - -import data.generic.common as common_lib -import data.generic.cloudformation as cf_lib - -CxPolicy[result] { - document := input.document[i] - - document.Resources[queuePolicyName].Type == "AWS::SQS::QueuePolicy" - queuePolicy := document.Resources[queuePolicyName] - - policy := queuePolicy.Properties.PolicyDocument - st := common_lib.get_statement(common_lib.get_policy(policy)) - statement := st[_] - - common_lib.is_allow_effect(statement) - common_lib.valid_key(statement, "NotPrincipal") - - result := { - "documentId": document.id, - "resourceType": document.Resources[queuePolicyName], - "resourceName": cf_lib.get_resource_name(document.Resources[queuePolicyName], queuePolicyName), - "searchKey": sprintf("Resources.%s.Properties.PolicyDocument", [queuePolicyName]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("Resources.%s.Properties.PolicyDocument.Statement.NotPrincipal should never be used when Effect=Allow", [queuePolicyName]), - "keyActualValue": sprintf("Resources.%s.Properties.PolicyDocument.Statement.NotPrincipal is set and Effect=Allow", [queuePolicyName]), - "searchLine": common_lib.build_search_line(["Resource", queuePolicyName, "Properties", "PolicyDocument"], []), - } -} diff --git a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/negative1.yaml b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/negative1.yaml deleted file mode 100644 index 0d0cf609cde..00000000000 --- a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/negative1.yaml +++ /dev/null @@ -1,19 +0,0 @@ -#this code is a correct code for which the query should not find any result -Resources: - SampleSQSPolicy: - Type: AWS::SQS::QueuePolicy - Properties: - Queues: - - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" - PolicyDocument: - Statement: - - - Action: - - "SQS:SendMessage" - - "SQS:ReceiveMessage" - Effect: "Deny" - Resource: "arn:aws:sqs:us-east-2:444455556666:queue2" - NotPrincipal: - AWS: - - "111122223333" - - "*" diff --git a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/negative2.yaml b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/negative2.yaml deleted file mode 100644 index f6a642ea8ed..00000000000 --- a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/negative2.yaml +++ /dev/null @@ -1,18 +0,0 @@ - -Resources: - SampleSQSPolicy2: - Type: AWS::SQS::QueuePolicy - Properties: - Queues: - - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" - PolicyDocument: - Statement: - - - Action: - - "SQS:SendMessage" - - "SQS:CreateQueue" - Effect: "Allow" - Resource: "arn:aws:sqs:us-east-2:444455556666:queue2" - Principal: - AWS: - - "111122223333" diff --git a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/negative3.json b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/negative3.json deleted file mode 100644 index 51876b2b502..00000000000 --- a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/negative3.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "Resources": { - "SampleSQSPolicy": { - "Type": "AWS::SQS::QueuePolicy", - "Properties": { - "Queues": [ - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" - ], - "PolicyDocument": { - "Statement": [ - { - "NotPrincipal": { - "AWS": [ - "111122223333", - "*" - ] - }, - "Action": [ - "SQS:SendMessage", - "SQS:ReceiveMessage" - ], - "Effect": "Deny", - "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2" - } - ] - } - } - } - } -} diff --git a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/negative4.json b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/negative4.json deleted file mode 100644 index 5ba8bae771e..00000000000 --- a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/negative4.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "Resources": { - "SampleSQSPolicy2": { - "Properties": { - "Queues": [ - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" - ], - "PolicyDocument": { - "Statement": [ - { - "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2", - "Principal": { - "AWS": [ - "111122223333" - ] - }, - "Action": [ - "SQS:SendMessage", - "SQS:CreateQueue" - ], - "Effect": "Allow" - } - ] - } - }, - "Type": "AWS::SQS::QueuePolicy" - } - } -} diff --git a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/positive1.yaml b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/positive1.yaml deleted file mode 100644 index 82c8090c251..00000000000 --- a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/positive1.yaml +++ /dev/null @@ -1,18 +0,0 @@ -Resources: - SampleSQSPolicy: - Type: AWS::SQS::QueuePolicy - Properties: - Queues: - - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" - PolicyDocument: - Statement: - - - Action: - - "SQS:SendMessage" - - "SQS:ReceiveMessage" - Effect: "Allow" - Resource: "arn:aws:sqs:us-east-2:444455556666:queue2" - NotPrincipal: - AWS: - - "111122223333" - - "*" diff --git a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/positive2.yaml b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/positive2.yaml deleted file mode 100644 index 093f29b385b..00000000000 --- a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/positive2.yaml +++ /dev/null @@ -1,17 +0,0 @@ -Resources: - SampleSQSPolicy2: - Type: AWS::SQS::QueuePolicy - Properties: - Queues: - - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" - PolicyDocument: - Statement: - - - Action: - - "SQS:SendMessage" - - "SQS:CreateQueue" - Effect: "Allow" - Resource: "arn:aws:sqs:us-east-2:444455556666:queue2" - NotPrincipal: - AWS: - - "111122223333" diff --git a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/positive3.json b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/positive3.json deleted file mode 100644 index 5c5a0117afa..00000000000 --- a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/positive3.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "Resources": { - "SampleSQSPolicy": { - "Type": "AWS::SQS::QueuePolicy", - "Properties": { - "Queues": [ - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" - ], - "PolicyDocument": { - "Statement": [ - { - "NotPrincipal": { - "AWS": [ - "111122223333", - "*" - ] - }, - "Action": [ - "SQS:SendMessage", - "SQS:ReceiveMessage" - ], - "Effect": "Allow", - "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2" - } - ] - } - } - } - } -} diff --git a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/positive4.json b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/positive4.json deleted file mode 100644 index c939f8cc468..00000000000 --- a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/positive4.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "Resources": { - "SampleSQSPolicy2": { - "Type": "AWS::SQS::QueuePolicy", - "Properties": { - "Queues": [ - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" - ], - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "SQS:SendMessage", - "SQS:CreateQueue" - ], - "Effect": "Allow", - "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2", - "NotPrincipal": { - "AWS": [ - "111122223333" - ] - } - } - ] - } - } - } - } -} diff --git a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/positive_expected_result.json deleted file mode 100644 index b8c6f5c8f55..00000000000 --- a/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal/test/positive_expected_result.json +++ /dev/null @@ -1,26 +0,0 @@ -[ - { - "queryName": "SQS Queue Policy Allows NotPrincipal", - "severity": "MEDIUM", - "line": 7, - "fileName": "positive1.yaml" - }, - { - "queryName": "SQS Queue Policy Allows NotPrincipal", - "severity": "MEDIUM", - "line": 7, - "fileName": "positive2.yaml" - }, - { - "queryName": "SQS Queue Policy Allows NotPrincipal", - "severity": "MEDIUM", - "line": 9, - "fileName": "positive3.json" - }, - { - "queryName": "SQS Queue Policy Allows NotPrincipal", - "severity": "MEDIUM", - "line": 9, - "fileName": "positive4.json" - } -] diff --git a/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/metadata.json b/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/metadata.json deleted file mode 100644 index 82e778fc24e..00000000000 --- a/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/metadata.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "id": "48c3bc58-6959-4f27-b647-4fedeace23be", - "queryName": "User Data Shell Script Is Encoded", - "severity": "LOW", - "category": "Encryption", - "descriptionText": "User Data Shell Script must be encoded", - "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-userdata", - "platform": "CloudFormation", - "descriptionID": "f951996f", - "cloudProvider": "aws", - "cwe": "", - "oldSeverity": "HIGH" -} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/query.rego b/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/query.rego deleted file mode 100644 index e8423111afa..00000000000 --- a/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/query.rego +++ /dev/null @@ -1,32 +0,0 @@ -package Cx - -import data.generic.cloudformation as cf_lib - -CxPolicy[result] { - resource := input.document[i].Resources[name] - resource.Type == "AWS::AutoScaling::LaunchConfiguration" - userData := resource.Properties.UserData - - decodedResult := check_user_data(userData) - startswith(decodedResult, "#!/") - - result := { - "documentId": input.document[i].id, - "resourceType": resource.Type, - "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("Resources.%s.Properties.UserData", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'Resources.%s.Properties.UserData' should not be shell script", [name]), - "keyActualValue": sprintf("'Resources.%s.Properties..UserData' is shell script", [name]), - } -} - -check_user_data(user_data) = result { - user_data == null - result := base64.decode("dGVzdA==") #test -} - -check_user_data(user_data) = result { - user_data != null - result := base64.decode(user_data) -} diff --git a/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/test/negative1.yaml b/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/test/negative1.yaml deleted file mode 100644 index 047505eb66a..00000000000 --- a/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/test/negative1.yaml +++ /dev/null @@ -1,18 +0,0 @@ -Resources: - myLaunchConfig: - Type: AWS::AutoScaling::LaunchConfiguration - Properties: - ImageId: !Ref LatestAmiId - SecurityGroups: - - Ref: "myEC2SecurityGroup" - InstanceType: - Ref: "InstanceType" - BlockDeviceMappings: - - DeviceName: /dev/sda1 - Ebs: - VolumeSize: 30 - VolumeType: "gp2" - - DeviceName: /dev/sdm - Ebs: - VolumeSize: 100 - DeleteOnTermination: "false" diff --git a/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/test/negative2.json b/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/test/negative2.json deleted file mode 100644 index 9bfd18a8a70..00000000000 --- a/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/test/negative2.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "Resources": { - "myLaunchConfig": { - "Type": "AWS::AutoScaling::LaunchConfiguration", - "Properties": { - "ImageId": { - "Ref": "LatestAmiId" - }, - "SecurityGroups": [ - { - "Ref": "myEC2SecurityGroup" - } - ], - "InstanceType": { - "Ref": "InstanceType" - }, - "BlockDeviceMappings": [ - { - "DeviceName": "/dev/sda1", - "Ebs": { - "VolumeSize": "30", - "VolumeType": "gp2" - } - }, - { - "DeviceName": "/dev/sdm", - "Ebs": { - "VolumeSize": "100", - "DeleteOnTermination": "false" - } - } - ] - } - } - } -} diff --git a/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/test/positive1.yaml b/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/test/positive1.yaml deleted file mode 100644 index 913bd3de1c7..00000000000 --- a/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/test/positive1.yaml +++ /dev/null @@ -1,19 +0,0 @@ -Resources: - myLaunchConfig: - Type: AWS::AutoScaling::LaunchConfiguration - Properties: - ImageId: !Ref LatestAmiId - SecurityGroups: - - Ref: "myEC2SecurityGroup" - InstanceType: - Ref: "InstanceType" - BlockDeviceMappings: - - DeviceName: /dev/sda1 - Ebs: - VolumeSize: 30 - VolumeType: "gp2" - - DeviceName: /dev/sdm - Ebs: - VolumeSize: 100 - DeleteOnTermination: "false" - UserData: IyEvYmluL3NoCmVjaG8gIkhlbGxvIHdvcmxkIg== diff --git a/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/test/positive2.json b/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/test/positive2.json deleted file mode 100644 index de29adc8738..00000000000 --- a/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/test/positive2.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "Resources": { - "myLaunchConfig": { - "Type": "AWS::AutoScaling::LaunchConfiguration", - "Properties": { - "ImageId": { - "Ref": "LatestAmiId" - }, - "SecurityGroups": [ - { - "Ref": "myEC2SecurityGroup" - } - ], - "InstanceType": { - "Ref": "InstanceType" - }, - "BlockDeviceMappings": [ - { - "DeviceName": "/dev/sda1", - "Ebs": { - "VolumeSize": "30", - "VolumeType": "gp2" - } - }, - { - "DeviceName": "/dev/sdm", - "Ebs": { - "VolumeSize": "100", - "DeleteOnTermination": "false" - } - } - ], - "UserData": "IyEvYmluL3NoCmVjaG8gIkhlbGxvIHdvcmxkIg==" - } - } - } -} diff --git a/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/test/positive_expected_result.json deleted file mode 100644 index 43701376f03..00000000000 --- a/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded/test/positive_expected_result.json +++ /dev/null @@ -1,14 +0,0 @@ -[ - { - "queryName": "User Data Shell Script Is Encoded", - "severity": "LOW", - "line": 33, - "fileName": "positive2.json" - }, - { - "queryName": "User Data Shell Script Is Encoded", - "severity": "LOW", - "line": 19, - "fileName": "positive1.yaml" - } -] \ No newline at end of file diff --git a/assets/queries/dockerCompose/container_capabilities_unrestricted/metadata.json b/assets/queries/dockerCompose/container_capabilities_unrestricted/metadata.json index 0555974b77f..3914befe8d0 100644 --- a/assets/queries/dockerCompose/container_capabilities_unrestricted/metadata.json +++ b/assets/queries/dockerCompose/container_capabilities_unrestricted/metadata.json @@ -1,7 +1,7 @@ { "id": "ce76b7d0-9e77-464d-b86f-c5c48e03e22d", "queryName": "Container Capabilities Unrestricted", - "severity": "HIGH", + "severity": "MEDIUM", "category": "Resource Management", "descriptionText": "Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.", "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop", diff --git a/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json b/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json index 5f365ee057b..476e375f089 100644 --- a/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json @@ -1,31 +1,31 @@ [ { "queryName": "Container Capabilities Unrestricted", - "severity": "HIGH", + "severity": "MEDIUM", "line": 13, "filename": "positive1.yaml" }, { "queryName": "Container Capabilities Unrestricted", - "severity": "HIGH", + "severity": "MEDIUM", "line": 4, "filename": "positive1.yaml" }, { "queryName": "Container Capabilities Unrestricted", - "severity": "HIGH", + "severity": "MEDIUM", "line": 13, "filename": "positive2.yaml" }, { "queryName": "Container Capabilities Unrestricted", - "severity": "HIGH", + "severity": "MEDIUM", "line": 13, "filename": "positive3.yaml" }, { "queryName": "Container Capabilities Unrestricted", - "severity": "HIGH", + "severity": "MEDIUM", "line": 4, "filename": "positive4.yaml" } diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/metadata.json b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/metadata.json index 76070b981e8..c78c6a69359 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/metadata.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/metadata.json @@ -1,7 +1,7 @@ { "id": "ad0875c1-0b39-4890-9149-173158ba3bba", "queryName": "Cloud Storage Bucket Versioning Disabled", - "severity": "LOW", + "severity": "MEDIUM", "category": "Observability", "descriptionText": "Cloud Storage Bucket should have versioning enabled", "descriptionUrl": "https://cloud.google.com/storage/docs/json_api/v1/buckets", diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json index a055acd79af..3eb292cd0a7 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json @@ -1,13 +1,13 @@ [ { "queryName": "Cloud Storage Bucket Versioning Disabled", - "severity": "LOW", + "severity": "MEDIUM", "line": 4, "filename": "positive1.yaml" }, { "queryName": "Cloud Storage Bucket Versioning Disabled", - "severity": "LOW", + "severity": "MEDIUM", "line": 8, "filename": "positive2.yaml" } diff --git a/assets/queries/k8s/authorization_mode_rbac_not_set/metadata.json b/assets/queries/k8s/authorization_mode_rbac_not_set/metadata.json index 26c7c1638d4..f47d35128c2 100644 --- a/assets/queries/k8s/authorization_mode_rbac_not_set/metadata.json +++ b/assets/queries/k8s/authorization_mode_rbac_not_set/metadata.json @@ -1,7 +1,7 @@ { "id": "1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e", "queryName": "Authorization Mode RBAC Not Set", - "severity": "LOW", + "severity": "MEDIUM", "category": "Access Control", "descriptionText": "When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", diff --git a/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json b/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json index 76b738ce26b..80c0e857697 100644 --- a/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json @@ -1,13 +1,13 @@ [ { "queryName": "Authorization Mode RBAC Not Set", - "severity": "LOW", + "severity": "MEDIUM", "line": 11, "filename": "positive1.yaml" }, { "queryName": "Authorization Mode RBAC Not Set", - "severity": "LOW", + "severity": "MEDIUM", "line": 11, "filename": "positive2.yaml" } diff --git a/assets/queries/k8s/bind_address_not_properly_set/metadata.json b/assets/queries/k8s/bind_address_not_properly_set/metadata.json index 127c3cd4092..6b997aad6db 100644 --- a/assets/queries/k8s/bind_address_not_properly_set/metadata.json +++ b/assets/queries/k8s/bind_address_not_properly_set/metadata.json @@ -1,7 +1,7 @@ { "id": "46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2", "queryName": "Bind Address Not Properly Set", - "severity": "LOW", + "severity": "INFO", "category": "Networking and Firewall", "descriptionText": "When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/", diff --git a/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json index 1c89b1571fc..07dd9af49e0 100644 --- a/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json @@ -1,25 +1,25 @@ [ { "queryName": "Bind Address Not Properly Set", - "severity": "LOW", + "severity": "INFO", "line": 11, "fileName": "positive1.yaml" }, { "queryName": "Bind Address Not Properly Set", - "severity": "LOW", + "severity": "INFO", "line": 11, "fileName": "positive2.yaml" }, { "queryName": "Bind Address Not Properly Set", - "severity": "LOW", + "severity": "INFO", "line": 20, "fileName": "positive3.yaml" }, { "queryName": "Bind Address Not Properly Set", - "severity": "LOW", + "severity": "INFO", "line": 20, "fileName": "positive4.yaml" } diff --git a/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/metadata.json b/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/metadata.json index dd4c672be72..e0b5500ecbd 100644 --- a/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/metadata.json +++ b/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/metadata.json @@ -1,7 +1,7 @@ { "id": "a6f34658-fdfb-4154-9536-56d516f65828", "queryName": "Docker Daemon Socket is Exposed to Containers", - "severity": "HIGH", + "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Sees if Docker Daemon Socket is not exposed to Containers", "descriptionUrl": "https://kubernetes.io/docs/concepts/storage/volumes/", diff --git a/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json b/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json index 73bb660a314..4389559e412 100644 --- a/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json +++ b/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json @@ -1,17 +1,17 @@ [ { "queryName": "Docker Daemon Socket is Exposed to Containers", - "severity": "HIGH", + "severity": "MEDIUM", "line": 15 }, { "queryName": "Docker Daemon Socket is Exposed to Containers", - "severity": "HIGH", + "severity": "MEDIUM", "line": 43 }, { "queryName": "Docker Daemon Socket is Exposed to Containers", - "severity": "HIGH", + "severity": "MEDIUM", "line": 67 } ] \ No newline at end of file diff --git a/assets/queries/k8s/metadata_label_is_invalid/metadata.json b/assets/queries/k8s/metadata_label_is_invalid/metadata.json index f4b362b630c..a784edaa6ad 100644 --- a/assets/queries/k8s/metadata_label_is_invalid/metadata.json +++ b/assets/queries/k8s/metadata_label_is_invalid/metadata.json @@ -1,7 +1,7 @@ { "id": "1123031a-f921-4c5b-bd86-ef354ecfd37a", "queryName": "Metadata Label Is Invalid", - "severity": "INFO", + "severity": "LOW", "category": "Best Practices", "descriptionText": "Check if any label in the metadata is invalid.", "descriptionUrl": "https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/", diff --git a/assets/queries/k8s/metadata_label_is_invalid/test/positive_expected_result.json b/assets/queries/k8s/metadata_label_is_invalid/test/positive_expected_result.json index fc075f65a86..4602eb0db3e 100644 --- a/assets/queries/k8s/metadata_label_is_invalid/test/positive_expected_result.json +++ b/assets/queries/k8s/metadata_label_is_invalid/test/positive_expected_result.json @@ -1,7 +1,7 @@ [ { "queryName": "Metadata Label Is Invalid", - "severity": "INFO", + "severity": "LOW", "line": 6 } ] \ No newline at end of file diff --git a/assets/queries/k8s/not_limited_capabilities_for_container/metadata.json b/assets/queries/k8s/not_limited_capabilities_for_container/metadata.json deleted file mode 100644 index c71c25faa72..00000000000 --- a/assets/queries/k8s/not_limited_capabilities_for_container/metadata.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "id": "2f1a0619-b12b-48a0-825f-993bb6f01d58", - "queryName": "Not Limited Capabilities For Container", - "severity": "INFO", - "category": "Insecure Configurations", - "descriptionText": "Limit the capabilities for a Container.", - "descriptionUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", - "platform": "Kubernetes", - "descriptionID": "2d839019", - "cwe": "", - "oldSeverity": "MEDIUM" -} \ No newline at end of file diff --git a/assets/queries/k8s/not_limited_capabilities_for_container/query.rego b/assets/queries/k8s/not_limited_capabilities_for_container/query.rego deleted file mode 100644 index 737bf07a9eb..00000000000 --- a/assets/queries/k8s/not_limited_capabilities_for_container/query.rego +++ /dev/null @@ -1,27 +0,0 @@ -package Cx - -import data.generic.k8s as k8sLib -import data.generic.common as commonLib - -CxPolicy[result] { - document := input.document[i] - specInfo := k8sLib.getSpecInfo(document) - - types := {"initContainers", "containers"} - containers := specInfo.spec[types[x]] - drop := containers[c].securityContext.capabilities.drop - - not commonLib.compareArrays(drop, ["ALL"]) - - metadata := document.metadata - - result := { - "documentId": document.id, - "resourceType": document.kind, - "resourceName": metadata.name, - "searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.securityContext.capabilities.drop", [metadata.name, specInfo.path, types[x], containers[c].name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("In metadata.name={{%s}}s.%s.%s.name={{%s}}.securityContext.capabilities.drop, 'ALL' should be listed ", [metadata.name, specInfo.path, types[x], containers[c].name]), - "keyActualValue": sprintf("In metadata.name={{%s}}.%s.%s.name={{%s}}.securityContext.capabilities.drop, 'ALL' is not listed", [metadata.name, specInfo.path, types[x], containers[c].name]), - } -} diff --git a/assets/queries/k8s/not_limited_capabilities_for_container/test/negative.yaml b/assets/queries/k8s/not_limited_capabilities_for_container/test/negative.yaml deleted file mode 100644 index c7abc9543da..00000000000 --- a/assets/queries/k8s/not_limited_capabilities_for_container/test/negative.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: security-context-demo-4 -spec: - containers: - - name: sec-ctx-4 - image: gcr.io/google-samples/node-hello:1.0 - securityContext: - capabilities: - drop: ["ALL"] diff --git a/assets/queries/k8s/not_limited_capabilities_for_container/test/positive.yaml b/assets/queries/k8s/not_limited_capabilities_for_container/test/positive.yaml deleted file mode 100644 index 312a4bd5e7f..00000000000 --- a/assets/queries/k8s/not_limited_capabilities_for_container/test/positive.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: security-context-demo-4 -spec: - containers: - - name: sec-ctx-4 - image: gcr.io/google-samples/node-hello:1.0 - securityContext: - capabilities: - drop: ["NET_ADMIN", "SYS_TIME"] ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: dropCapabilitiesTest - labels: - app: nginx -spec: - replicas: 3 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - spec: - containers: - - name: payment - image: nginx - securityContext: - capabilities: - drop: - - NET_ADMIN - add: - - NET_BIND_SERVICE - diff --git a/assets/queries/k8s/not_limited_capabilities_for_container/test/positive_expected_result.json b/assets/queries/k8s/not_limited_capabilities_for_container/test/positive_expected_result.json deleted file mode 100644 index a00578de6b6..00000000000 --- a/assets/queries/k8s/not_limited_capabilities_for_container/test/positive_expected_result.json +++ /dev/null @@ -1,12 +0,0 @@ -[ - { - "queryName": "Not Limited Capabilities For Container", - "severity": "INFO", - "line": 11 - }, - { - "queryName": "Not Limited Capabilities For Container", - "severity": "INFO", - "line": 34 - } -] \ No newline at end of file diff --git a/assets/queries/k8s/service_account_private_key_file_not_defined/metadata.json b/assets/queries/k8s/service_account_private_key_file_not_defined/metadata.json index 84df30f46ac..e66e547e4b4 100644 --- a/assets/queries/k8s/service_account_private_key_file_not_defined/metadata.json +++ b/assets/queries/k8s/service_account_private_key_file_not_defined/metadata.json @@ -1,7 +1,7 @@ { "id": "ccc98ff7-68a7-436e-9218-185cb0b0b780", "queryName": "Service Account Private Key File Not Defined", - "severity": "LOW", + "severity": "MEDIUM", "category": "Encryption", "descriptionText": "When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined", "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/", diff --git a/assets/queries/k8s/service_account_private_key_file_not_defined/test/positive_expected_result.json b/assets/queries/k8s/service_account_private_key_file_not_defined/test/positive_expected_result.json index f27099284e0..83a1aba8213 100644 --- a/assets/queries/k8s/service_account_private_key_file_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_private_key_file_not_defined/test/positive_expected_result.json @@ -1,7 +1,7 @@ [ { "queryName": "Service Account Private Key File Not Defined", - "severity": "LOW", + "severity": "MEDIUM", "line": 11, "fileName": "positive1.yaml" } diff --git a/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/metadata.json b/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/metadata.json index cb7843cff80..7ebde021d4e 100644 --- a/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/metadata.json +++ b/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/metadata.json @@ -1,7 +1,7 @@ { "id": "40e1d1bf-11a9-4f63-a3a2-a8b84c602839", "queryName": "API Key Exposed In Global Security Scheme", - "severity": "HIGH", + "severity": "LOW", "category": "Access Control", "descriptionText": "API Keys should not be transported over network", "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", diff --git a/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json b/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json index 97e2934c563..0ae9ec9454f 100644 --- a/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json @@ -1,37 +1,37 @@ [ { "queryName": "API Key Exposed In Global Security Scheme", - "severity": "HIGH", + "severity": "LOW", "line": 52, "filename": "positive1.json" }, { "queryName": "API Key Exposed In Global Security Scheme", - "severity": "HIGH", + "severity": "LOW", "line": 57, "filename": "positive1.json" }, { "queryName": "API Key Exposed In Global Security Scheme", - "severity": "HIGH", + "severity": "LOW", "line": 62, "filename": "positive1.json" }, { "queryName": "API Key Exposed In Global Security Scheme", - "severity": "HIGH", + "severity": "LOW", "line": 31, "filename": "positive2.yaml" }, { "queryName": "API Key Exposed In Global Security Scheme", - "severity": "HIGH", + "severity": "LOW", "line": 35, "filename": "positive2.yaml" }, { "queryName": "API Key Exposed In Global Security Scheme", - "severity": "HIGH", + "severity": "LOW", "line": 39, "filename": "positive2.yaml" } diff --git a/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/metadata.json b/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/metadata.json index 4f27ffd9978..51065b41c74 100644 --- a/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/metadata.json +++ b/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/metadata.json @@ -1,7 +1,7 @@ { "id": "105e20dd-8449-4d71-95c6-d5dac96639af", "queryName": "Success Response Code Undefined for Trace Operation", - "severity": "INFO", + "severity": "LOW", "category": "Networking and Firewall", "descriptionText": "Trace should define the '200' successful code", "descriptionUrl": "https://swagger.io/specification/#operation-object", diff --git a/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json b/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json index a975a9d09db..ef6cef28d07 100644 --- a/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json @@ -1,13 +1,13 @@ [ { "queryName": "Success Response Code Undefined for Trace Operation", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive1.json" }, { "queryName": "Success Response Code Undefined for Trace Operation", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive2.yaml" } diff --git a/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json b/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json index ccaa9c55554..5bdc94edff4 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_global_security/metadata.json @@ -1,7 +1,7 @@ { "id": "aecee30b-8ea1-4776-a99c-d6d600f0862f", "queryName": "API Key Exposed In Global Security (v3)", - "severity": "HIGH", + "severity": "LOW", "category": "Access Control", "descriptionText": "API Keys should not be transported over network", "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", diff --git a/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json b/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json index a0df7221cb4..de1584ca153 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json @@ -1,61 +1,61 @@ [ { "queryName": "API Key Exposed In Global Security (v3)", - "severity": "HIGH", + "severity": "LOW", "line": 45, "filename": "positive1.json" }, { "queryName": "API Key Exposed In Global Security (v3)", - "severity": "HIGH", + "severity": "LOW", "line": 46, "filename": "positive1.json" }, { "queryName": "API Key Exposed In Global Security (v3)", - "severity": "HIGH", + "severity": "LOW", "line": 47, "filename": "positive1.json" }, { "queryName": "API Key Exposed In Global Security (v3)", - "severity": "HIGH", + "severity": "LOW", "line": 26, "filename": "positive2.yaml" }, { "queryName": "API Key Exposed In Global Security (v3)", - "severity": "HIGH", + "severity": "LOW", "line": 27, "filename": "positive2.yaml" }, { "queryName": "API Key Exposed In Global Security (v3)", - "severity": "HIGH", + "severity": "LOW", "line": 28, "filename": "positive2.yaml" }, { "queryName": "API Key Exposed In Global Security (v2)", - "severity": "HIGH", + "severity": "LOW", "line": 22, "filename": "positive3.json" }, { "queryName": "API Key Exposed In Global Security (v2)", - "severity": "HIGH", + "severity": "LOW", "line": 23, "filename": "positive3.json" }, { "queryName": "API Key Exposed In Global Security (v2)", - "severity": "HIGH", + "severity": "LOW", "line": 14, "filename": "positive4.yaml" }, { "queryName": "API Key Exposed In Global Security (v2)", - "severity": "HIGH", + "severity": "LOW", "line": 15, "filename": "positive4.yaml" } diff --git a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json index 810fd5d329f..c1a68e04c4a 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/metadata.json @@ -1,7 +1,7 @@ { "id": "281b8071-6226-4a43-911d-fec246d422c2", "queryName": "API Key Exposed In Operation Security (v3)", - "severity": "HIGH", + "severity": "LOW", "category": "Access Control", "descriptionText": "API Keys should not be transported over network", "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", diff --git a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json index ec4d9e692a3..7ecae3a47ac 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json @@ -1,61 +1,61 @@ [ { "queryName": "API Key Exposed In Operation Security (v3)", - "severity": "HIGH", + "severity": "LOW", "line": 14, "filename": "positive1.json" }, { "queryName": "API Key Exposed In Operation Security (v3)", - "severity": "HIGH", + "severity": "LOW", "line": 15, "filename": "positive1.json" }, { "queryName": "API Key Exposed In Operation Security (v3)", - "severity": "HIGH", + "severity": "LOW", "line": 16, "filename": "positive1.json" }, { "queryName": "API Key Exposed In Operation Security (v3)", - "severity": "HIGH", + "severity": "LOW", "line": 11, "filename": "positive2.yaml" }, { "queryName": "API Key Exposed In Operation Security (v3)", - "severity": "HIGH", + "severity": "LOW", "line": 12, "filename": "positive2.yaml" }, { "queryName": "API Key Exposed In Operation Security (v3)", - "severity": "HIGH", + "severity": "LOW", "line": 13, "filename": "positive2.yaml" }, { "queryName": "API Key Exposed In Operation Security (v2)", - "severity": "HIGH", + "severity": "LOW", "line": 14, "filename": "positive3.json" }, { "queryName": "API Key Exposed In Operation Security (v2)", - "severity": "HIGH", + "severity": "LOW", "line": 15, "filename": "positive3.json" }, { "queryName": "API Key Exposed In Operation Security (v2)", - "severity": "HIGH", + "severity": "LOW", "line": 11, "filename": "positive4.yaml" }, { "queryName": "API Key Exposed In Operation Security (v2)", - "severity": "HIGH", + "severity": "LOW", "line": 12, "filename": "positive4.yaml" } diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/metadata.json b/assets/queries/openAPI/general/cleartext_api_key_in_global_security/metadata.json deleted file mode 100644 index b71b81f8e49..00000000000 --- a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/metadata.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "9c238c97-1991-4c0b-9c7d-6c7912e1dc7c", - "queryName": "Cleartext API Key In Global Security (v3)", - "severity": "MEDIUM", - "category": "Access Control", - "descriptionText": "API Keys should not be sent as cleartext over an unencrypted channel", - "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", - "platform": "OpenAPI", - "descriptionID": "ecaad37f", - "aggregation": 2, - "override": { - "2.0": { - "id": "70d3873e-d537-46e5-ac3b-4e48fbdd29b4", - "queryName": "Cleartext API Key In Global Security (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#securityDefinitionsObject", - "descriptionText": "" - } - }, - "cwe": "" -} \ No newline at end of file diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/query.rego b/assets/queries/openAPI/general/cleartext_api_key_in_global_security/query.rego deleted file mode 100644 index ba0228b3f28..00000000000 --- a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/query.rego +++ /dev/null @@ -1,22 +0,0 @@ -package Cx - -import data.generic.openapi as openapi_lib - -CxPolicy[result] { - doc := input.document[i] - version := openapi_lib.check_openapi(doc) - version != "undefined" - - security := doc.security[x][s] - openapi_lib.api_key_exposed(doc, version, s) - count(security) == 0 - - result := { - "documentId": doc.id, - "searchKey": sprintf("security.%s", [s]), - "issueType": "IncorrectValue", - "keyExpectedValue": "The API Key should not be sent as cleartext over an unencrypted channel", - "keyActualValue": "The API Key is sent as cleartext over an unencrypted channel", - "overrideKey": version, - } -} diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/negative1.json b/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/negative1.json deleted file mode 100644 index da76ec5ca16..00000000000 --- a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/negative1.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "openapi": "3.0.0", - "info": { - "title": "Simple API Overview", - "version": "1.0.0" - }, - "paths": { - "/": { - "get": { - "operationId": "listVersionsv2", - "summary": "List API versions", - "responses": { - "200": { - "description": "200 response", - "content": { - "application/json": { - "examples": { - "foo": { - "value": { - "versions": [ - { - "status": "CURRENT", - "updated": "2011-01-21T11:33:21Z", - "id": "v2.0", - "links": [ - { - "href": "http://127.0.0.1:8774/v2/", - "rel": "self" - } - ] - } - ] - } - } - } - } - } - } - } - } - } - }, - "components": { - "securitySchemes": { - "OAuth2": { - "type": "oauth2", - "flows": { - "authorizationCode": { - "authorizationUrl": "https://example.com/oauth/authorize", - "tokenUrl": "https://example.com/oauth/token", - "scopes": { - "write": "modify objects in your account", - "read": "read objects in your account" - } - } - } - } - } - }, - "security": [ - { - "OAuth2": [ - "write", - "read" - ] - } - ] -} diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/negative2.yaml b/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/negative2.yaml deleted file mode 100644 index ce4b57121b5..00000000000 --- a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/negative2.yaml +++ /dev/null @@ -1,39 +0,0 @@ -openapi: 3.0.0 -info: - title: Simple API Overview - version: 1.0.0 -paths: - "/": - get: - operationId: listVersionsv2 - summary: List API versions - responses: - "200": - description: 200 response - content: - application/json: - examples: - foo: - value: - versions: - - status: CURRENT - updated: "2011-01-21T11:33:21Z" - id: v2.0 - links: - - href: http://127.0.0.1:8774/v2/ - rel: self -components: - securitySchemes: - OAuth2: - type: oauth2 - flows: - authorizationCode: - scopes: - write: modify objects in your account - read: read objects in your account - authorizationUrl: https://example.com/oauth/authorize - tokenUrl: https://example.com/oauth/token -security: - - OAuth2: - - write - - read diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/negative3.json b/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/negative3.json deleted file mode 100644 index 629d5eea228..00000000000 --- a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/negative3.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "swagger": "2.0", - "info": { - "title": "Simple API Overview", - "version": "1.0.0" - }, - "paths": { - "/": { - "get": { - "operationId": "listVersionsv2", - "summary": "List API versions", - "responses": { - "200": { - "description": "200 response" - } - } - } - } - }, - "security": [ - { - "OAuth2": [ - "write", - "read" - ] - } - ], - "securityDefinitions": { - "OAuth2": { - "type": "oauth2", - "flow": "accessCode", - "authorizationUrl": "https://example.com/oauth/authorize", - "tokenUrl": "https://example.com/oauth/token", - "scopes": { - "read": "Grants read access", - "write": "Grants write access" - } - } - } -} diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/negative4.yaml b/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/negative4.yaml deleted file mode 100644 index 9b4cb66cf16..00000000000 --- a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/negative4.yaml +++ /dev/null @@ -1,25 +0,0 @@ -swagger: "2.0" -info: - title: Simple API Overview - version: 1.0.0 -paths: - "/": - get: - operationId: listVersionsv2 - summary: List API versions - responses: - "200": - description: 200 response -securityDefinitions: - OAuth2: - type: oauth2 - flow: accessCode - authorizationUrl: https://example.com/oauth/authorize - tokenUrl: https://example.com/oauth/token - scopes: - read: Grants read access - write: Grants write access -security: - - OAuth2: - - write - - read diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/positive1.json b/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/positive1.json deleted file mode 100644 index 9196d19deba..00000000000 --- a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/positive1.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "openapi": "3.0.0", - "info": { - "title": "Simple API Overview", - "version": "1.0.0" - }, - "paths": { - "/": { - "get": { - "operationId": "listVersionsv2", - "summary": "List API versions", - "responses": { - "200": { - "description": "200 response", - "content": { - "application/json": { - "examples": { - "foo": { - "value": { - "versions": [ - { - "status": "CURRENT", - "updated": "2011-01-21T11:33:21Z", - "id": "v2.0", - "links": [ - { - "href": "http://127.0.0.1:8774/v2/", - "rel": "self" - } - ] - } - ] - } - } - } - } - } - } - } - } - } - }, - "security": [ - { - "apiKey2": [], - "apiKey3": [], - "apiKey1": [] - } - ], - "components": { - "securitySchemes": { - "apiKey1": { - "type": "apiKey", - "name": "X-API-Key", - "in": "header" - }, - "apiKey2": { - "type": "apiKey", - "name": "X-API-Key", - "in": "cookie" - }, - "apiKey3": { - "name": "X-API-Key", - "in": "query", - "type": "apiKey" - } - } - } -} diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/positive2.yaml b/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/positive2.yaml deleted file mode 100644 index ab0c3b8022a..00000000000 --- a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/positive2.yaml +++ /dev/null @@ -1,42 +0,0 @@ -openapi: 3.0.0 -info: - title: Simple API Overview - version: 1.0.0 -paths: - "/": - get: - operationId: listVersionsv2 - summary: List API versions - responses: - "200": - description: 200 response - content: - application/json: - examples: - foo: - value: - versions: - - status: CURRENT - updated: "2011-01-21T11:33:21Z" - id: v2.0 - links: - - href: http://127.0.0.1:8774/v2/ - rel: self -security: - - apiKey1: [] - apiKey2: [] - apiKey3: [] -components: - securitySchemes: - apiKey1: - type: apiKey - name: X-API-Key - in: header - apiKey2: - type: apiKey - name: X-API-Key - in: cookie - apiKey3: - type: apiKey - name: X-API-Key - in: query diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/positive3.json b/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/positive3.json deleted file mode 100644 index 6c3f527f9aa..00000000000 --- a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/positive3.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "swagger": "2.0", - "info": { - "title": "Simple API Overview", - "version": "1.0.0" - }, - "paths": { - "/": { - "get": { - "operationId": "listVersionsv2", - "summary": "List API versions", - "responses": { - "200": { - "description": "200 response" - } - } - } - } - }, - "security": [ - { - "apiKey3": [], - "apiKey1": [] - } - ], - "securityDefinitions": { - "apiKey1": { - "type": "apiKey", - "name": "X-API-Key", - "in": "header" - }, - "apiKey3": { - "type": "apiKey", - "name": "X-API-Key", - "in": "query" - } - } -} diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/positive4.yaml b/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/positive4.yaml deleted file mode 100644 index 976a42b9eef..00000000000 --- a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/positive4.yaml +++ /dev/null @@ -1,24 +0,0 @@ -swagger: "2.0" -info: - title: Simple API Overview - version: 1.0.0 -paths: - "/": - get: - operationId: listVersionsv2 - summary: List API versions - responses: - "200": - description: 200 response -security: - - apiKey1: [] - apiKey3: [] -securityDefinitions: - apiKey1: - type: apiKey - name: X-API-Key - in: header - apiKey3: - type: apiKey - name: X-API-Key - in: query diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/positive_expected_result.json b/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/positive_expected_result.json deleted file mode 100644 index d6e51b71539..00000000000 --- a/assets/queries/openAPI/general/cleartext_api_key_in_global_security/test/positive_expected_result.json +++ /dev/null @@ -1,62 +0,0 @@ -[ - { - "queryName": "Cleartext API Key In Global Security (v3)", - "severity": "MEDIUM", - "line": 45, - "filename": "positive1.json" - }, - { - "queryName": "Cleartext API Key In Global Security (v3)", - "severity": "MEDIUM", - "line": 46, - "filename": "positive1.json" - }, - { - "queryName": "Cleartext API Key In Global Security (v3)", - "severity": "MEDIUM", - "line": 47, - "filename": "positive1.json" - }, - { - "queryName": "Cleartext API Key In Global Security (v3)", - "severity": "MEDIUM", - "line": 26, - "filename": "positive2.yaml" - }, - { - "queryName": "Cleartext API Key In Global Security (v3)", - "severity": "MEDIUM", - "line": 27, - "filename": "positive2.yaml" - }, - { - "queryName": "Cleartext API Key In Global Security (v3)", - "severity": "MEDIUM", - "line": 28, - "filename": "positive2.yaml" - }, - { - "queryName": "Cleartext API Key In Global Security (v2)", - "severity": "MEDIUM", - "line": 22, - "filename": "positive3.json" - }, - { - "queryName": "Cleartext API Key In Global Security (v2)", - "severity": "MEDIUM", - "line": 23, - "filename": "positive3.json" - }, - { - "queryName": "Cleartext API Key In Global Security (v2)", - "severity": "MEDIUM", - "line": 14, - "filename": "positive4.yaml" - }, - { - "queryName": "Cleartext API Key In Global Security (v2)", - "severity": "MEDIUM", - "line": 15, - "filename": "positive4.yaml" - } -] diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/metadata.json b/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/metadata.json deleted file mode 100644 index 11763e73b45..00000000000 --- a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/metadata.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "id": "d90d4e40-44c1-4125-87a0-e072c3e195b5", - "queryName": "Cleartext API Key In Operation Security (v3)", - "severity": "HIGH", - "category": "Access Control", - "descriptionText": "API Keys should not be sent as cleartext over an unencrypted channel", - "descriptionUrl": "https://swagger.io/specification/#security-scheme-object", - "platform": "OpenAPI", - "descriptionID": "bc86897e", - "aggregation": 2, - "override": { - "2.0": { - "id": "99733b39-6413-4ed8-8acf-dc7cdc9b4e51", - "queryName": "Cleartext API Key In Operation Security (v2)", - "descriptionUrl": "https://swagger.io/specification/v2/#securityDefinitionsObject", - "descriptionText": "" - } - }, - "cwe": "" -} \ No newline at end of file diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/query.rego b/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/query.rego deleted file mode 100644 index c7c7a54cc2b..00000000000 --- a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/query.rego +++ /dev/null @@ -1,22 +0,0 @@ -package Cx - -import data.generic.openapi as openapi_lib - -CxPolicy[result] { - doc := input.document[i] - version := openapi_lib.check_openapi(doc) - version != "undefined" - - security := doc.paths[path][operation].security[x][s] - openapi_lib.api_key_exposed(doc, version, s) - count(security) == 0 - - result := { - "documentId": doc.id, - "searchKey": sprintf("paths.%s.%s.security.%s", [path, operation, s]), - "issueType": "IncorrectValue", - "keyExpectedValue": "The API Key should not be sent as cleartext over an unencrypted channel", - "keyActualValue": "The API Key is sent as cleartext over an unencrypted channel", - "overrideKey": version, - } -} diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/negative1.json b/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/negative1.json deleted file mode 100644 index 6996f58e752..00000000000 --- a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/negative1.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "openapi": "3.0.0", - "info": { - "version": "1.0.0", - "title": "Simple API overview" - }, - "paths": { - "/pets": { - "post": { - "description": "Creates a new pet in the store", - "responses": { - "200": { - "description": "200 response" - } - }, - "operationId": "addPet", - "security": [ - { - "OAuth2": [ - "write", - "read" - ] - } - ] - } - } - }, - "components": { - "securitySchemes": { - "OAuth2": { - "type": "oauth2", - "flows": { - "authorizationCode": { - "scopes": { - "write": "modify objects in your account", - "read": "read objects in your account" - }, - "authorizationUrl": "https://example.com/oauth/authorize", - "tokenUrl": "https://example.com/oauth/token" - } - } - } - } - } -} diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/negative2.yaml b/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/negative2.yaml deleted file mode 100644 index 5da15e32d1c..00000000000 --- a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/negative2.yaml +++ /dev/null @@ -1,27 +0,0 @@ -openapi: 3.0.0 -info: - title: Simple API overview - version: 1.0.0 -paths: - /pets: - post: - description: Creates a new pet in the store - responses: - "200": - description: 200 response - operationId: addPet - security: - - OAuth2: - - write - - read -components: - securitySchemes: - OAuth2: - type: oauth2 - flows: - authorizationCode: - scopes: - write: modify objects in your account - read: read objects in your account - authorizationUrl: https://example.com/oauth/authorize - tokenUrl: https://example.com/oauth/token diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/negative3.json b/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/negative3.json deleted file mode 100644 index 5349a3d0eb3..00000000000 --- a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/negative3.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "swagger": "2.0", - "info": { - "version": "1.0.0", - "title": "Simple API overview" - }, - "paths": { - "/pets": { - "post": { - "description": "Creates a new pet in the store", - "responses": { - "200": { - "description": "200 response" - } - }, - "operationId": "addPet", - "security": [ - { - "OAuth2": [ - "write", - "read" - ] - } - ] - } - } - }, - "securityDefinitions": { - "OAuth2": { - "type": "oauth2", - "flow": "accessCode", - "authorizationUrl": "https://example.com/oauth/authorize", - "tokenUrl": "https://example.com/oauth/token", - "scopes": { - "read": "Grants read access", - "write": "Grants write access" - } - } - } -} diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/negative4.yaml b/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/negative4.yaml deleted file mode 100644 index 7771f5f5a30..00000000000 --- a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/negative4.yaml +++ /dev/null @@ -1,25 +0,0 @@ -swagger: "2.0" -info: - title: Simple API overview - version: 1.0.0 -paths: - /pets: - post: - description: Creates a new pet in the store - responses: - "200": - description: 200 response - operationId: addPet - security: - - OAuth2: - - write - - read -securityDefinitions: - OAuth2: - type: oauth2 - flow: accessCode - authorizationUrl: https://example.com/oauth/authorize - tokenUrl: https://example.com/oauth/token - scopes: - read: Grants read access - write: Grants write access diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/positive1.json b/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/positive1.json deleted file mode 100644 index 8c61adf363f..00000000000 --- a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/positive1.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "openapi": "3.0.0", - "info": { - "title": "Simple API overview", - "version": "1.0.0" - }, - "paths": { - "/pets": { - "post": { - "description": "Creates a new pet in the store", - "responses": { - "200": { - "description": "200 response" - } - }, - "operationId": "addPet", - "security": [ - { - "apiKey1": [], - "apiKey2": [], - "apiKey3": [] - } - ] - } - } - }, - "components": { - "securitySchemes": { - "apiKey1": { - "type": "apiKey", - "name": "X-API-Key", - "in": "header" - }, - "apiKey2": { - "type": "apiKey", - "name": "X-API-Key", - "in": "cookie" - }, - "apiKey3": { - "type": "apiKey", - "name": "X-API-Key", - "in": "query" - } - } - } -} diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/positive2.yaml b/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/positive2.yaml deleted file mode 100644 index 42b2ebfe522..00000000000 --- a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/positive2.yaml +++ /dev/null @@ -1,30 +0,0 @@ -openapi: 3.0.0 -info: - title: Simple API overview - version: 1.0.0 -paths: - /pets: - post: - description: Creates a new pet in the store - responses: - "200": - description: 200 response - operationId: addPet - security: - - apiKey1: [] - apiKey2: [] - apiKey3: [] -components: - securitySchemes: - apiKey1: - type: apiKey - name: X-API-Key - in: header - apiKey2: - type: apiKey - name: X-API-Key - in: cookie - apiKey3: - type: apiKey - name: X-API-Key - in: query diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/positive3.json b/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/positive3.json deleted file mode 100644 index c52bc9aff00..00000000000 --- a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/positive3.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "swagger": "2.0", - "info": { - "title": "Simple API overview", - "version": "1.0.0" - }, - "paths": { - "/pets": { - "post": { - "description": "Creates a new pet in the store", - "responses": { - "200": { - "description": "200 response" - } - }, - "operationId": "addPet", - "security": [ - { - "apiKey1": [], - "apiKey3": [] - } - ] - } - } - }, - "securityDefinitions": { - "apiKey1": { - "type": "apiKey", - "name": "X-API-Key", - "in": "header" - }, - "apiKey3": { - "type": "apiKey", - "name": "X-API-Key", - "in": "query" - } - } -} diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/positive4.yaml b/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/positive4.yaml deleted file mode 100644 index a5472498931..00000000000 --- a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/positive4.yaml +++ /dev/null @@ -1,24 +0,0 @@ -swagger: "2.0" -info: - title: Simple API overview - version: 1.0.0 -paths: - /pets: - post: - description: Creates a new pet in the store - responses: - "200": - description: 200 response - operationId: addPet - security: - - apiKey1: [] - apiKey3: [] -securityDefinitions: - apiKey1: - type: apiKey - name: X-API-Key - in: header - apiKey3: - type: apiKey - name: X-API-Key - in: query diff --git a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/positive_expected_result.json b/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/positive_expected_result.json deleted file mode 100644 index 2b00a078b62..00000000000 --- a/assets/queries/openAPI/general/cleartext_api_key_in_operation_security/test/positive_expected_result.json +++ /dev/null @@ -1,62 +0,0 @@ -[ - { - "queryName": "Cleartext API Key In Operation Security (v3)", - "severity": "HIGH", - "line": 19, - "filename": "positive1.json" - }, - { - "queryName": "Cleartext API Key In Operation Security (v3)", - "severity": "HIGH", - "line": 20, - "filename": "positive1.json" - }, - { - "queryName": "Cleartext API Key In Operation Security (v3)", - "severity": "HIGH", - "line": 21, - "filename": "positive1.json" - }, - { - "queryName": "Cleartext API Key In Operation Security (v3)", - "severity": "HIGH", - "line": 14, - "filename": "positive2.yaml" - }, - { - "queryName": "Cleartext API Key In Operation Security (v3)", - "severity": "HIGH", - "line": 15, - "filename": "positive2.yaml" - }, - { - "queryName": "Cleartext API Key In Operation Security (v3)", - "severity": "HIGH", - "line": 16, - "filename": "positive2.yaml" - }, - { - "queryName": "Cleartext API Key In Operation Security (v2)", - "severity": "HIGH", - "line": 19, - "filename": "positive3.json" - }, - { - "queryName": "Cleartext API Key In Operation Security (v2)", - "severity": "HIGH", - "line": 20, - "filename": "positive3.json" - }, - { - "queryName": "Cleartext API Key In Operation Security (v2)", - "severity": "HIGH", - "line": 14, - "filename": "positive4.yaml" - }, - { - "queryName": "Cleartext API Key In Operation Security (v2)", - "severity": "HIGH", - "line": 15, - "filename": "positive4.yaml" - } -] diff --git a/assets/queries/openAPI/general/default_response_undefined_operations/metadata.json b/assets/queries/openAPI/general/default_response_undefined_operations/metadata.json index bf13bcdf025..0bd16ca3a8d 100644 --- a/assets/queries/openAPI/general/default_response_undefined_operations/metadata.json +++ b/assets/queries/openAPI/general/default_response_undefined_operations/metadata.json @@ -1,7 +1,7 @@ { "id": "86e3702f-c868-44b2-b61d-ea5316c18110", "queryName": "Default Response Undefined On Operations (v3)", - "severity": "INFO", + "severity": "LOW", "category": "Networking and Firewall", "descriptionText": "Operations responses should have a default response defined", "descriptionUrl": "https://swagger.io/specification/#responses-object", diff --git a/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json b/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json index 4808f4bf872..9e94753493a 100644 --- a/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json @@ -1,61 +1,61 @@ [ { "queryName": "Default Response Undefined On Operations (v3)", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive1.json" }, { "queryName": "Default Response Undefined On Operations (v3)", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive2.json" }, { "queryName": "Default Response Undefined On Operations (v3)", - "severity": "INFO", + "severity": "LOW", "line": 21, "filename": "positive2.json" }, { "queryName": "Default Response Undefined On Operations (v3)", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive3.yaml" }, { "queryName": "Default Response Undefined On Operations (v3)", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive4.yaml" }, { "queryName": "Default Response Undefined On Operations (v3)", - "severity": "INFO", + "severity": "LOW", "line": 16, "filename": "positive4.yaml" }, { "queryName": "Default Response Undefined On Operations (v2)", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive5.json" }, { "queryName": "Default Response Undefined On Operations (v2)", - "severity": "INFO", + "severity": "LOW", "line": 21, "filename": "positive5.json" }, { "queryName": "Default Response Undefined On Operations (v2)", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive6.yaml" }, { "queryName": "Default Response Undefined On Operations (v2)", - "severity": "INFO", + "severity": "LOW", "line": 16, "filename": "positive6.yaml" } diff --git a/assets/queries/openAPI/general/response_code_missing/metadata.json b/assets/queries/openAPI/general/response_code_missing/metadata.json index 720939b8af4..e2e6555d489 100644 --- a/assets/queries/openAPI/general/response_code_missing/metadata.json +++ b/assets/queries/openAPI/general/response_code_missing/metadata.json @@ -1,7 +1,7 @@ { "id": "6c35d2c6-09f2-4e5c-a094-e0e91327071d", "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "category": "Networking and Firewall", "descriptionText": "500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.", "descriptionUrl": "https://swagger.io/specification/#operation-object", diff --git a/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json b/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json index a7f6b9657be..fff2d20fb17 100644 --- a/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json @@ -1,157 +1,157 @@ [ { "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive1.json" }, { "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive1.json" }, { "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive1.json" }, { "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive1.json" }, { "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive1.json" }, { "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "line": 21, "filename": "positive1.json" }, { "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "line": 21, "filename": "positive1.json" }, { "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "line": 21, "filename": "positive1.json" }, { "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "line": 21, "filename": "positive1.json" }, { "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive2.json" }, { "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive2.json" }, { "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive3.yaml" }, { "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive3.yaml" }, { "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive3.yaml" }, { "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive3.yaml" }, { "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive3.yaml" }, { "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "line": 16, "filename": "positive3.yaml" }, { "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "line": 16, "filename": "positive3.yaml" }, { "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "line": 16, "filename": "positive3.yaml" }, { "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "line": 16, "filename": "positive3.yaml" }, { "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive4.yaml" }, { "queryName": "Response Code Missing (v3)", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive4.yaml" }, { "queryName": "Response Code Missing (v2)", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive5.json" }, { "queryName": "Response Code Missing (v2)", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive5.json" }, { "queryName": "Response Code Missing (v2)", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive6.yaml" }, { "queryName": "Response Code Missing (v2)", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive6.yaml" } diff --git a/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/metadata.json b/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/metadata.json index ec454413c24..971fcd09771 100644 --- a/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/metadata.json +++ b/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/metadata.json @@ -1,7 +1,7 @@ { "id": "12a7210b-f4b4-47d0-acac-0a819e2a0ca3", "queryName": "Response on operations that should not have a body has declared content (v3)", - "severity": "INFO", + "severity": "LOW", "category": "Networking and Firewall", "descriptionText": "If a response is head or its code is 204 or 304, it shouldn't have a content defined", "descriptionUrl": "https://swagger.io/docs/specification/describing-responses/", diff --git a/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json b/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json index d01f8367844..a5b288523c3 100644 --- a/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json @@ -1,37 +1,37 @@ [ { "queryName": "Response on operations that should not have a body has declared content (v3)", - "severity": "INFO", + "severity": "LOW", "line": 29, "filename": "positive1.json" }, { "queryName": "Response on operations that should not have a body has declared content (v3)", - "severity": "INFO", + "severity": "LOW", "line": 20, "filename": "positive2.json" }, { "queryName": "Response on operations that should not have a body has declared content (v3)", - "severity": "INFO", + "severity": "LOW", "line": 23, "filename": "positive3.yaml" }, { "queryName": "Response on operations that should not have a body has declared content (v3)", - "severity": "INFO", + "severity": "LOW", "line": 17, "filename": "positive4.yaml" }, { "queryName": "Response on operations that should not have a body has declared content (v2)", - "severity": "INFO", + "severity": "LOW", "line": 13, "filename": "positive5.yaml" }, { "queryName": "Response on operations that should not have a body has declared content (v2)", - "severity": "INFO", + "severity": "LOW", "line": 15, "filename": "positive6.json" } diff --git a/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/metadata.json b/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/metadata.json index e87790772c0..c3f58ca64d1 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/metadata.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/metadata.json @@ -1,7 +1,7 @@ { "id": "3b497874-ae59-46dd-8d72-1868a3b8f150", "queryName": "Success Response Code Undefined for Delete Operation (v3)", - "severity": "INFO", + "severity": "LOW", "category": "Networking and Firewall", "descriptionText": "Delete should define at least one success response (200, 201, 202 or 204)", "descriptionUrl": "https://swagger.io/specification/#operation-object", diff --git a/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json index 62d15e974a5..085eab862bb 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json @@ -1,37 +1,37 @@ [ { "queryName": "Success Response Code Undefined for Delete Operation (v3)", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive1.json" }, { "queryName": "Success Response Code Undefined for Delete Operation (v3)", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive2.json" }, { "queryName": "Success Response Code Undefined for Delete Operation (v3)", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive3.yaml" }, { "queryName": "Success Response Code Undefined for Delete Operation (v3)", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive4.yaml" }, { "queryName": "Success Response Code Undefined for Delete Operation (v2)", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive5.json" }, { "queryName": "Success Response Code Undefined for Delete Operation (v2)", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive6.yaml" } diff --git a/assets/queries/openAPI/general/success_response_code_undefined_get_operation/metadata.json b/assets/queries/openAPI/general/success_response_code_undefined_get_operation/metadata.json index f1313e9be41..00d93e3153d 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_get_operation/metadata.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_get_operation/metadata.json @@ -1,7 +1,7 @@ { "id": "b2f275be-7d64-4064-b418-be6b431363a7", "queryName": "Success Response Code Undefined for Get Operation (v3)", - "severity": "INFO", + "severity": "LOW", "category": "Networking and Firewall", "descriptionText": "Get should define at least one success response (200 or 202)", "descriptionUrl": "https://swagger.io/specification/#operation-object", diff --git a/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json index 2c348f015b6..64cbed3c1b1 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json @@ -1,25 +1,25 @@ [ { "queryName": "Success Response Code Undefined for Get Operation (v2)", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive1.json" }, { "queryName": "Success Response Code Undefined for Get Operation (v2)", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive2.yaml" }, { "queryName": "Success Response Code Undefined for Get Operation (v3)", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive3.json" }, { "queryName": "Success Response Code Undefined for Get Operation (v3)", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive4.yaml" } diff --git a/assets/queries/openAPI/general/success_response_code_undefined_head_operation/metadata.json b/assets/queries/openAPI/general/success_response_code_undefined_head_operation/metadata.json index 537ebb153e2..ad5ba411436 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_head_operation/metadata.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_head_operation/metadata.json @@ -1,7 +1,7 @@ { "id": "3b066059-f411-4554-ac8d-96f32bff90da", "queryName": "Success Response Code Undefined for Head Operation (v3)", - "severity": "INFO", + "severity": "LOW", "category": "Networking and Firewall", "descriptionText": "Head should define at least one success response (200 or 202)", "descriptionUrl": "https://swagger.io/specification/#operation-object", diff --git a/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json index 15556bb556e..1f6c14dc8f6 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json @@ -1,25 +1,25 @@ [ { "queryName": "Success Response Code Undefined for Head Operation (v3)", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive1.json" }, { "queryName": "Success Response Code Undefined for Head Operation (v3)", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive2.yaml" }, { "queryName": "Success Response Code Undefined for Head Operation (v2)", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive3.json" }, { "queryName": "Success Response Code Undefined for Head Operation (v2)", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive4.yaml" } diff --git a/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/metadata.json b/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/metadata.json index 203751ff7e2..e6e162ef797 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/metadata.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/metadata.json @@ -1,7 +1,7 @@ { "id": "1908a8ee-927d-4166-8f18-241152170cc1", "queryName": "Success Response Code Undefined for Patch Operation (v3)", - "severity": "INFO", + "severity": "LOW", "category": "Networking and Firewall", "descriptionText": "Patch should define at least one success response (200, 201, 202 or 204)", "descriptionUrl": "https://swagger.io/specification/#operation-object", diff --git a/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json index 2794beb2fc5..5350ccdf0e7 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json @@ -1,37 +1,37 @@ [ { "queryName": "Success Response Code Undefined for Patch Operation (v3)", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive1.json" }, { "queryName": "Success Response Code Undefined for Patch Operation (v3)", - "severity": "INFO", + "severity": "LOW", "line": 24, "filename": "positive2.json" }, { "queryName": "Success Response Code Undefined for Patch Operation (v3)", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive3.yaml" }, { "queryName": "Success Response Code Undefined for Patch Operation (v3)", - "severity": "INFO", + "severity": "LOW", "line": 18, "filename": "positive4.yaml" }, { "queryName": "Success Response Code Undefined for Patch Operation (v2)", - "severity": "INFO", + "severity": "LOW", "line": 24, "filename": "positive5.json" }, { "queryName": "Success Response Code Undefined for Patch Operation (v2)", - "severity": "INFO", + "severity": "LOW", "line": 18, "filename": "positive6.yaml" } diff --git a/assets/queries/openAPI/general/success_response_code_undefined_post_operation/metadata.json b/assets/queries/openAPI/general/success_response_code_undefined_post_operation/metadata.json index 40d7d7bbaa1..62748ca3ac7 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_post_operation/metadata.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_post_operation/metadata.json @@ -1,7 +1,7 @@ { "id": "f368dd2d-9344-4146-a05b-7c6faa1269ad", "queryName": "Success Response Code Undefined for Post Operation (v3)", - "severity": "INFO", + "severity": "LOW", "category": "Networking and Firewall", "descriptionText": "Post should define at least one success response (200, 201, 202 or 204)", "descriptionUrl": "https://swagger.io/specification/#operation-object", diff --git a/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json index 4f3d83b0af7..f5959207758 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json @@ -1,37 +1,37 @@ [ { "queryName": "Success Response Code Undefined for Post Operation (v3)", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive1.json" }, { "queryName": "Success Response Code Undefined for Post Operation (v3)", - "severity": "INFO", + "severity": "LOW", "line": 24, "filename": "positive2.json" }, { "queryName": "Success Response Code Undefined for Post Operation (v3)", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive3.yaml" }, { "queryName": "Success Response Code Undefined for Post Operation (v3)", - "severity": "INFO", + "severity": "LOW", "line": 18, "filename": "positive4.yaml" }, { "queryName": "Success Response Code Undefined for Post Operation (v2)", - "severity": "INFO", + "severity": "LOW", "line": 24, "filename": "positive5.json" }, { "queryName": "Success Response Code Undefined for Post Operation (v2)", - "severity": "INFO", + "severity": "LOW", "line": 18, "filename": "positive6.yaml" } diff --git a/assets/queries/openAPI/general/success_response_code_undefined_put_operation/metadata.json b/assets/queries/openAPI/general/success_response_code_undefined_put_operation/metadata.json index e03a31bf823..2d12850c86b 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_put_operation/metadata.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_put_operation/metadata.json @@ -1,7 +1,7 @@ { "id": "60b5f56b-66ff-4e1c-9b62-5753e16825bc", "queryName": "Success Response Code Undefined for Put Operation (v3)", - "severity": "INFO", + "severity": "LOW", "category": "Networking and Firewall", "descriptionText": "Put should define at least one success response (200, 201, 202 or 204)", "descriptionUrl": "https://swagger.io/specification/#operation-object", diff --git a/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json index 140d784e325..ba164e0af40 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json @@ -1,37 +1,37 @@ [ { "queryName": "Success Response Code Undefined for Put Operation (v3)", - "severity": "INFO", + "severity": "LOW", "line": 12, "filename": "positive1.json" }, { "queryName": "Success Response Code Undefined for Put Operation (v3)", - "severity": "INFO", + "severity": "LOW", "line": 24, "filename": "positive2.json" }, { "queryName": "Success Response Code Undefined for Put Operation (v3)", - "severity": "INFO", + "severity": "LOW", "line": 10, "filename": "positive3.yaml" }, { "queryName": "Success Response Code Undefined for Put Operation (v3)", - "severity": "INFO", + "severity": "LOW", "line": 18, "filename": "positive4.yaml" }, { "queryName": "Success Response Code Undefined for Put Operation (v2)", - "severity": "INFO", + "severity": "LOW", "line": 24, "filename": "positive5.json" }, { "queryName": "Success Response Code Undefined for Put Operation (v2)", - "severity": "INFO", + "severity": "LOW", "line": 18, "filename": "positive6.yaml" } diff --git a/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/metadata.json b/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/metadata.json index 439b9168da5..b3b20e57a60 100644 --- a/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/metadata.json +++ b/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/metadata.json @@ -1,7 +1,7 @@ { "id": "482b7d26-0bdb-4b5f-bf6f-545826c0a3dd", "queryName": "CloudTrail SNS Topic Name Undefined", - "severity": "INFO", + "severity": "LOW", "category": "Observability", "descriptionText": "Check if SNS topic name is set for CloudTrail", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail", diff --git a/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json index 934411e384f..ab5ba6bb6b4 100644 --- a/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json @@ -1,12 +1,12 @@ [ { "queryName": "CloudTrail SNS Topic Name Undefined", - "severity": "INFO", + "severity": "LOW", "line": 1 }, { "queryName": "CloudTrail SNS Topic Name Undefined", - "severity": "INFO", + "severity": "LOW", "line": 5 } ] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/metadata.json index 349a9c6d63c..272dd84d7f3 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/metadata.json @@ -1,12 +1,13 @@ { "id": "5b8d7527-de8e-4114-b9dd-9d988f1f418f", "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", - "severity": "LOW", + "severity": "MEDIUM", "category": "Observability", "descriptionText": "Ensure a log metric filter and alarm exist for AWS Config configuration changes", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern", "platform": "Terraform", "descriptionID": "698457eb", "cloudProvider": "aws", - "cwe": "" + "cwe": "", + "oldSeverity": "LOW" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json index 344486415fd..1459de355bb 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json @@ -1,26 +1,26 @@ [ { "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", - "severity": "LOW", + "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" }, { "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", - "severity": "LOW", + "severity": "MEDIUM", "line": 1, "fileName": "positive2.tf" }, { "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", - "severity": "LOW", + "severity": "MEDIUM", "line": 1, "fileName": "positive3.tf" }, { "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", - "severity": "LOW", + "severity": "MEDIUM", "line": 1, "fileName": "positive4.tf" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/metadata.json b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/metadata.json index 86db892c4fe..2d92e304854 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/metadata.json @@ -1,12 +1,13 @@ { "id": "38b85c45-e772-4de8-a247-69619ca137b3", "queryName": "CloudWatch AWS Organizations Changes Missing Alarm", - "severity": "MEDIUM", + "severity": "INFO", "category": "Observability", "descriptionText": "Ensure a log metric filter and alarm exist for AWS organizations changes", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern", "platform": "Terraform", "descriptionID": "38b85c45", "cloudProvider": "aws", - "cwe": "" + "cwe": "", + "oldSeverity": "MEDIUM" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive_expected_result.json index fd48691bdb1..b56668d3c45 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive_expected_result.json @@ -1,14 +1,14 @@ [ { "queryName": "CloudWatch AWS Organizations Changes Missing Alarm", - "severity": "MEDIUM", + "severity": "INFO", "line": 1, "fileName": "positive1.tf" }, { "queryName": "CloudWatch AWS Organizations Changes Missing Alarm", - "severity": "MEDIUM", + "severity": "INFO", "line": 1, "fileName": "positive2.tf" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/metadata.json index 6ca0de1d284..bb1a9bfc0ae 100644 --- a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/metadata.json @@ -1,12 +1,13 @@ { "id": "0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0", "queryName": "CloudWatch Changes To NACL Alarm Missing", - "severity": "LOW", + "severity": "MEDIUM", "category": "Observability", "descriptionText": "Ensure a log metric filter and alarm exist for changes to NACL", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern", "platform": "Terraform", "descriptionID": "0a8e8dc5", "cloudProvider": "aws", - "cwe": "" + "cwe": "", + "oldSeverity": "LOW" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive_expected_result.json index 3bf0e71af15..89ee21fe61c 100644 --- a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive_expected_result.json @@ -1,14 +1,14 @@ [ { "queryName": "CloudWatch Changes To NACL Alarm Missing", - "severity": "LOW", + "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" }, { "queryName": "CloudWatch Changes To NACL Alarm Missing", - "severity": "LOW", + "severity": "MEDIUM", "line": 1, "fileName": "positive2.tf" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/metadata.json b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/metadata.json index 29f91b2f0ee..4fb694beac2 100644 --- a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/metadata.json +++ b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/metadata.json @@ -1,12 +1,13 @@ { "id": "9d0d4512-1959-43a2-a17f-72360ff06d1b", "queryName": "CloudWatch VPC Changes Alarm Missing", - "severity": "LOW", + "severity": "MEDIUM", "category": "Observability", "descriptionText": "Ensure a log metric filter and alarm exist for VPC changes", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern", "platform": "Terraform", "descriptionID": "6159556d", "cloudProvider": "aws", - "cwe": "" + "cwe": "", + "oldSeverity": "LOW" } \ No newline at end of file diff --git a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json index 1c7acd9bfc3..b13d90ce06d 100644 --- a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json @@ -1,20 +1,20 @@ [ { "queryName": "CloudWatch VPC Changes Alarm Missing", - "severity": "LOW", + "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" }, { "queryName": "CloudWatch VPC Changes Alarm Missing", - "severity": "LOW", + "severity": "MEDIUM", "line": 1, "fileName": "positive2.tf" }, { "queryName": "CloudWatch VPC Changes Alarm Missing", - "severity": "LOW", + "severity": "MEDIUM", "line": 1, "fileName": "positive3.tf" } -] +] \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecs_task_definition_with_plaintext_password/metadata.json b/assets/queries/terraform/aws/ecs_task_definition_with_plaintext_password/metadata.json deleted file mode 100644 index 9a308462059..00000000000 --- a/assets/queries/terraform/aws/ecs_task_definition_with_plaintext_password/metadata.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "id": "d40210ea-64b9-4cce-a4fb-e8604f3c062c", - "queryName": "ECS Task Definition Container With Plaintext Password", - "severity": "HIGH", - "category": "Encryption", - "descriptionText": "It's not recommended to use plaintext environment variables for sensitive information, such as credential data.", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition", - "platform": "Terraform", - "descriptionID": "b2503e42", - "cloudProvider": "aws", - "cwe": "" -} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ecs_task_definition_with_plaintext_password/query.rego b/assets/queries/terraform/aws/ecs_task_definition_with_plaintext_password/query.rego deleted file mode 100644 index 9e47339f94b..00000000000 --- a/assets/queries/terraform/aws/ecs_task_definition_with_plaintext_password/query.rego +++ /dev/null @@ -1,22 +0,0 @@ -package Cx - -import data.generic.common as commonLib -import data.generic.terraform as tf_lib - -CxPolicy[result] { - resource := input.document[i].resource.aws_ecs_task_definition[name] - - resourceJson := commonLib.json_unmarshal(resource.container_definitions) - env := resourceJson.containerDefinitions[_].environment[_] - contains(lower(env.name), "password") - - result := { - "documentId": input.document[i].id, - "resourceType": "aws_ecs_task_definition", - "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s", [env.name]), - "issueType": "IncorrectValue", - "keyExpectedValue": "'container_definitions.environment.name' shouldn't have password value", - "keyActualValue": "'container_definitions.environment.name' has password value", - } -} diff --git a/assets/queries/terraform/aws/ecs_task_definition_with_plaintext_password/test/negative.tf b/assets/queries/terraform/aws/ecs_task_definition_with_plaintext_password/test/negative.tf deleted file mode 100644 index 0f0eb906885..00000000000 --- a/assets/queries/terraform/aws/ecs_task_definition_with_plaintext_password/test/negative.tf +++ /dev/null @@ -1,54 +0,0 @@ -resource "aws_ecs_task_definition" "negative1" { - family = "service" - container_definitions = <