Skip to content

Commit 361dbc9

Browse files
kicsbotcx-artur-ribeiro
kicsbot
and
cx-artur-ribeiro
authored
docs(queries): update queries catalog (#7894)
Co-authored-by: cx-artur-ribeiro <153724638+cx-artur-ribeiro@users.noreply.github.com>
1 parent b2aafd8 commit 361dbc9

41 files changed

Lines changed: 5974 additions & 0 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

docs/queries/all-queries.md

Lines changed: 39 additions & 0 deletions
Large diffs are not rendered by default.

docs/queries/terraform-queries.md

Lines changed: 39 additions & 0 deletions
Large diffs are not rendered by default.

docs/queries/terraform-queries/azure/0536c90c-714e-4184-991e-3fed8d8b7b46.md

Lines changed: 212 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,212 @@
1+
---
2+
title: Beta - VM Without Managed Disk
3+
hide:
4+
toc: true
5+
navigation: true
6+
---
7+
8+
<style>
9+
.highlight .hll {
10+
background-color: #ff171742;
11+
}
12+
.md-content {
13+
max-width: 1100px;
14+
margin: 0 auto;
15+
}
16+
</style>
17+
18+
- **Query id:** 0536c90c-714e-4184-991e-3fed8d8b7b46
19+
- **Query name:** Beta - VM Without Managed Disk
20+
- **Platform:** Terraform
21+
- **Severity:** <span style="color:#ff7213">Medium</span>
22+
- **Category:** Resource Management
23+
- **CWE:** <a href="https://cwe.mitre.org/data/definitions/922.html" onclick="newWindowOpenerSafe(event, 'https://cwe.mitre.org/data/definitions/922.html')">922</a>
24+
- **Risk score:** <span style="color:#ff7213">3.0</span>
25+
- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/vm_without_managed_disk)
26+
27+
### Description
28+
Virtual machine resources should set a managed disk for encryption, resilience and reduction of costs<br>
29+
[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine)
30+
31+
### Code samples
32+
#### Code samples with security vulnerabilities
33+
```tf title="Positive test num. 1 - tf file" hl_lines="1 34 21"
34+
resource "azurerm_virtual_machine" "positive1" {
35+
name = "${var.prefix}-vm"
36+
location = azurerm_resource_group.positive1.location
37+
resource_group_name = azurerm_resource_group.positive1.name
38+
network_interface_ids = [azurerm_network_interface.main.id]
39+
vm_size = "Standard_DS1_v2"
40+
41+
# missing "storage_os_disk" (tecnically required)
42+
}
43+
44+
resource "azurerm_virtual_machine" "positive1_2" {
45+
name = "${var.prefix}-vm"
46+
location = azurerm_resource_group.positive1_2.location
47+
resource_group_name = azurerm_resource_group.positive1_2.name
48+
network_interface_ids = [azurerm_network_interface.main.id]
49+
vm_size = "Standard_DS1_v2"
50+
51+
storage_os_disk {
52+
name = "myosdisk1"
53+
create_option = "FromImage"
54+
vhd_uri = "https://<storageaccount>.blob.core.windows.net/<container>/<diskname>.vhd"
55+
# unmanaged disk
56+
}
57+
}
58+
59+
resource "azurerm_virtual_machine" "positive1_3" {
60+
name = "${var.prefix}-vm"
61+
location = azurerm_resource_group.positive1_3.location
62+
resource_group_name = azurerm_resource_group.positive1_3.name
63+
network_interface_ids = [azurerm_network_interface.main.id]
64+
vm_size = "Standard_DS1_v2"
65+
66+
67+
storage_os_disk {
68+
name = "myosdisk1"
69+
create_option = "FromImage"
70+
# missing managed_disk_type/managed_disk_id
71+
}
72+
}
73+
74+
```
75+
```tf title="Positive test num. 2 - tf file" hl_lines="1"
76+
resource "azurerm_linux_virtual_machine" "positive2" {
77+
name = "positive2-machine"
78+
resource_group_name = azurerm_resource_group.positive2.name
79+
location = azurerm_resource_group.positive2.location
80+
size = "Standard_F2"
81+
admin_username = "adminuser"
82+
83+
# missing os_managed_disk_id
84+
}
85+
86+
```
87+
```tf title="Positive test num. 3 - tf file" hl_lines="1"
88+
resource "azurerm_windows_virtual_machine" "positive3" {
89+
name = "positive3-machine"
90+
resource_group_name = azurerm_resource_group.positive3.name
91+
location = azurerm_resource_group.positive3.location
92+
size = "Standard_F2"
93+
admin_username = "adminuser"
94+
95+
# missing os_managed_disk_id
96+
}
97+
98+
```
99+
<details><summary>Positive test num. 4 - tf file</summary>
100+
101+
```tf hl_lines="1 17"
102+
resource "azurerm_virtual_machine_scale_set" "positive4_1" {
103+
name = "vmss-premium-positive4_1"
104+
location = azurerm_resource_group.positive4_1.location
105+
resource_group_name = azurerm_resource_group.positive4_1.name
106+
upgrade_policy_mode = "Manual"
107+
108+
storage_profile_os_disk {
109+
caching = "ReadOnly"
110+
create_option = "FromImage"
111+
vhd_containers = [
112+
"https://mystorageaccount.blob.core.windows.net/vhds/"
113+
]
114+
# vhd_containers instead of "managed_disk_type"
115+
}
116+
}
117+
118+
resource "azurerm_virtual_machine_scale_set" "positive4_2" {
119+
name = "vmss-premium-positive4_2"
120+
location = azurerm_resource_group.positive4_2.location
121+
resource_group_name = azurerm_resource_group.positive4_2.name
122+
upgrade_policy_mode = "Manual"
123+
124+
storage_profile_os_disk {
125+
caching = "ReadOnly"
126+
create_option = "FromImage"
127+
os_type = "Linux" # Required when using "image"
128+
image = "https://mystorageaccount.blob.core.windows.net/system/Microsoft.Compute/Images/custom-os-image/osDisk.vhd"
129+
# image instead of "managed_disk_type"
130+
}
131+
}
132+
133+
```
134+
</details>
135+
136+
137+
#### Code samples without security vulnerabilities
138+
```tf title="Negative test num. 1 - tf file"
139+
resource "azurerm_virtual_machine" "negative1_1" {
140+
name = "${var.prefix}-vm"
141+
location = azurerm_resource_group.negative1_1.location
142+
resource_group_name = azurerm_resource_group.negative1_1.name
143+
network_interface_ids = [azurerm_network_interface.main.id]
144+
vm_size = "Standard_DS1_v2"
145+
146+
storage_os_disk {
147+
name = "myosdisk1"
148+
caching = "ReadWrite"
149+
create_option = "FromImage"
150+
managed_disk_type = "Standard_LRS"
151+
}
152+
}
153+
154+
resource "azurerm_virtual_machine" "negative1_2" {
155+
name = "${var.prefix}-vm"
156+
location = azurerm_resource_group.negative1_2.location
157+
resource_group_name = azurerm_resource_group.negative1_2.name
158+
network_interface_ids = [azurerm_network_interface.negative1_2.id]
159+
vm_size = "Standard_DS1_v2"
160+
161+
storage_os_disk {
162+
name = "myosdisk1"
163+
caching = "ReadWrite"
164+
create_option = "Attach"
165+
managed_disk_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Compute/disks/myManagedDisk"
166+
}
167+
}
168+
169+
```
170+
```tf title="Negative test num. 2 - tf file"
171+
resource "azurerm_linux_virtual_machine" "negative2" {
172+
name = "negative2-machine"
173+
resource_group_name = azurerm_resource_group.negative2.name
174+
location = azurerm_resource_group.negative2.location
175+
size = "Standard_F2"
176+
admin_username = "adminuser"
177+
178+
os_managed_disk_id = azurerm_managed_disk.negative2.id
179+
}
180+
181+
```
182+
```tf title="Negative test num. 3 - tf file"
183+
resource "azurerm_windows_virtual_machine" "negative3" {
184+
name = "negative3-machine"
185+
resource_group_name = azurerm_resource_group.negative3.name
186+
location = azurerm_resource_group.negative3.location
187+
size = "Standard_F2"
188+
admin_username = "adminuser"
189+
190+
os_managed_disk_id = azurerm_managed_disk.negative3.id
191+
}
192+
193+
```
194+
<details><summary>Negative test num. 4 - tf file</summary>
195+
196+
```tf
197+
resource "azurerm_virtual_machine_scale_set" "negative4" {
198+
name = "vmss-ssd-negative4"
199+
location = azurerm_resource_group.negative4.location
200+
resource_group_name = azurerm_resource_group.negative4.name
201+
upgrade_policy_mode = "Manual"
202+
203+
storage_profile_os_disk {
204+
caching = "ReadWrite"
205+
create_option = "FromImage"
206+
managed_disk_type = "StandardSSD_LRS"
207+
}
208+
}
209+
210+
```
211+
</details>
212+

docs/queries/terraform-queries/azure/056d28cc-7ee9-4b12-b2d1-16b7b66db72d.md

Lines changed: 104 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,104 @@
1+
---
2+
title: Beta - Blob Storage Without Soft Delete
3+
hide:
4+
toc: true
5+
navigation: true
6+
---
7+
8+
<style>
9+
.highlight .hll {
10+
background-color: #ff171742;
11+
}
12+
.md-content {
13+
max-width: 1100px;
14+
margin: 0 auto;
15+
}
16+
</style>
17+
18+
- **Query id:** 056d28cc-7ee9-4b12-b2d1-16b7b66db72d
19+
- **Query name:** Beta - Blob Storage Without Soft Delete
20+
- **Platform:** Terraform
21+
- **Severity:** <span style="color:#bb2124">High</span>
22+
- **Category:** Backup
23+
- **CWE:** <a href="https://cwe.mitre.org/data/definitions/754.html" onclick="newWindowOpenerSafe(event, 'https://cwe.mitre.org/data/definitions/754.html')">754</a>
24+
- **Risk score:** <span style="color:#bb2124">6.0</span>
25+
- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/blob_storage_without_soft_delete)
26+
27+
### Description
28+
All 'azurerm_storage_account' resources should define a 'delete_retention_policy' block for their 'blob_properties' to allow data recovery<br>
29+
[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#delete_retention_policy-2)
30+
31+
### Code samples
32+
#### Code samples with security vulnerabilities
33+
```tf title="Positive test num. 1 - tf file" hl_lines="32 1 18"
34+
resource "azurerm_storage_account" "positive1" {
35+
name = "positive1"
36+
resource_group_name = azurerm_resource_group.positive1.name
37+
location = azurerm_resource_group.positive1.location
38+
account_tier = "Standard"
39+
account_replication_type = "GRS"
40+
41+
# missing "blob_properties"
42+
}
43+
44+
resource "azurerm_storage_account" "positive2" {
45+
name = "positive2"
46+
resource_group_name = azurerm_resource_group.positive2.name
47+
location = azurerm_resource_group.positive2.location
48+
account_tier = "Standard"
49+
account_replication_type = "GRS"
50+
51+
blob_properties {
52+
# missing "delete_retention_policy"
53+
}
54+
}
55+
56+
resource "azurerm_storage_account" "positive3" {
57+
name = "positive3"
58+
resource_group_name = azurerm_resource_group.positive3.name
59+
location = azurerm_resource_group.positive3.location
60+
account_tier = "Standard"
61+
account_replication_type = "GRS"
62+
63+
blob_properties {
64+
delete_retention_policy {
65+
days = 5 # lower than minimum value (7)
66+
}
67+
}
68+
}
69+
70+
```
71+
72+
73+
#### Code samples without security vulnerabilities
74+
```tf title="Negative test num. 1 - tf file"
75+
resource "azurerm_storage_account" "negative1" {
76+
name = "negative1"
77+
resource_group_name = "testRG"
78+
location = "northeurope"
79+
account_tier = "Premium"
80+
account_replication_type = "LRS"
81+
account_kind = "FileStorage"
82+
83+
blob_properties {
84+
delete_retention_policy {
85+
days = 49
86+
}
87+
}
88+
}
89+
90+
resource "azurerm_storage_account" "negative2" {
91+
name = "negative2"
92+
resource_group_name = "testRG"
93+
location = "northeurope"
94+
account_tier = "Premium"
95+
account_replication_type = "LRS"
96+
account_kind = "FileStorage"
97+
98+
blob_properties {
99+
delete_retention_policy {} # defaults to 7 days
100+
}
101+
}
102+
103+
```
104+

0 commit comments

Comments
 (0)