Merge pull request #303 from Azure/verabe/newRelease

Prepare to release version 0.4
Azure · Nov 8, 2022 · a09db7b · a09db7b
2 parents ff65354 + ce909b5
commit a09db7b
Show file tree

Hide file tree

Showing 7 changed files with 78 additions and 38 deletions.
diff --git a/src/Analyzer.Core/Rules/BuiltInRules.json b/src/Analyzer.Core/Rules/BuiltInRules.json
@@ -5,7 +5,7 @@
     "shortDescription": "Diagnostic logs in App Service should be enabled",
     "fullDescription": "Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.",
     "recommendation": "Enable diagnostic logs in App Service",
-    "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000001-diagnostic-logs-in-app-services-should-be-enabled",
+    "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000001-diagnostic-logs-in-app-service-should-be-enabled",
     "severity": 2,
     "evaluation": {
       "resourceType": "Microsoft.Web/sites",
@@ -346,7 +346,7 @@
     "shortDescription": "CORS should not allow every resource to access your function app",
     "fullDescription": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your function app. Allow only required domains to interact with your function app.",
     "recommendation": "Allow only required domains to interact with your function app.",
-    "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000012-cors-should-not-allow-every-resource-to-access-your-function-apps",
+    "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000012-cors-should-not-allow-every-resource-to-access-your-function-app",
     "severity": 3,
     "evaluation": {
       "resourceType": "Microsoft.Web/sites",
@@ -406,7 +406,7 @@
     "shortDescription": "Remote debugging should be turned off for web apps",
     "fullDescription": "Remote debugging requires inbound ports to be opened on a web application. These ports become easy targets for compromise from various internet based attacks. If you no longer need to use remote debugging, it should be turned off.",
     "recommendation": "Remote debugging should be turned off",
-    "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000014-remote-debugging-should-be-turned-off-for-web-applications",
+    "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000014-remote-debugging-should-be-turned-off-for-web-apps",
     "severity": 3,
     "evaluation": {
       "resourceType": "Microsoft.Web/sites",
@@ -484,7 +484,7 @@
     "shortDescription": "Web apps should only be accessible over HTTPS",
     "fullDescription": "Web apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks.",
     "recommendation": "Use HTTPS to ensure server/service authentication and protect data in transit from network layer eavesdropping attacks",
-    "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000016-web-application-should-only-be-accessible-over-https",
+    "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000016-web-apps-should-only-be-accessible-over-https",
     "severity": 2,
     "evaluation": {
       "resourceType": "Microsoft.Web/sites",
@@ -549,7 +549,7 @@
     "shortDescription": "CORS should not allow every resource to access your web apps",
     "fullDescription": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.",
     "recommendation": "Allow only required domains to interact with your web app.",
-    "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000018-cors-should-not-allow-every-resource-to-access-your-web-applications",
+    "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000018-cors-should-not-allow-every-resource-to-access-your-web-apps",
     "severity": 3,
     "evaluation": {
       "resourceType": "Microsoft.Web/sites",
@@ -625,7 +625,7 @@
     "shortDescription": "Audit usage of custom RBAC roles",
     "fullDescription": "Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling.",
     "recommendation": "Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling",
-    "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000020-use-built-in-roles-instead-of-custom-rbac-roles",
+    "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000020-audit-usage-of-custom-rbac-roles",
     "severity": 3,
     "evaluation": {
       "resourceType": "Microsoft.Authorization/roleDefinitions",
@@ -653,7 +653,7 @@
     "shortDescription": "Only secure connections to your Azure Cache for Redis should be enabled",
     "fullDescription": "Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.",
     "recommendation": "Enable connections via SSL only to Redis Cache",
-    "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000022-onlysecureconnectionstoyourazurecacheforredisshouldbeenabled",
+    "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000022-only-secure-connections-to-your-azure-cache-for-redis-should-be-enabled",
     "severity": 1,
     "evaluation": {
       "resourceType": "Microsoft.Cache/redis",
@@ -689,7 +689,7 @@
     "shortDescription": "RBAC should be used on Kubernetes Services",
     "fullDescription": "To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process.",
     "recommendation": "Enable RBAC in Kubernetes clusters",
-    "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000024-role-basedaccesscontrolrbacshouldbeusedonkubernetesservices",
+    "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000024-rbac-should-be-used-on-kubernetes-services",
     "severity": 1,
     "evaluation": {
       "resourceType": "Microsoft.ContainerService/managedClusters",
@@ -737,7 +737,7 @@
     "shortDescription": "Service Fabric clusters should only use AAD for client authentication",
     "fullDescription": "Service Fabric clusters should only use Azure Active Directory (AAD) for client authentication. A Service Fabric cluster offers several entry points to its management functionality, including the web-based Service Fabric Explorer, Visual Studio and PowerShell. Access to the cluster must be controlled using AAD.",
     "recommendation": "Enable AAD client authentication on your Service Fabric clusters",
-    "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000026-service-fabric-clusters-should-only-use-azure-active-directory-for-client-authentication",
+    "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000026-service-fabric-clusters-should-only-use-aad-for-client-authentication",
     "severity": 1,
     "evaluation": {
       "resourceType": "Microsoft.ServiceFabric/clusters",
@@ -751,7 +751,7 @@
     "shortDescription": "TDE on SQL databases should be enabled",
     "fullDescription": "Transparent data encryption (TDE) should be enabled to protect data-at-rest and meet compliance requirements.",
     "recommendation": "Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements",
-    "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000027-transparent-data-encryption-on-sql-databases-should-be-enabled",
+    "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000027-tde-on-sql-databases-should-be-enabled",
     "severity": 3,
     "evaluation": {
       "resourceType": "Microsoft.Sql/servers/databases",
@@ -821,7 +821,7 @@
     "shortDescription": "Azure API Management APIs should use HTTPS only",
     "fullDescription": "Set the protocols property of your Azure APIs Management API to only include HTTPS.",
     "recommendation": "To use encrypted protocols only, add (or update) the protocols property to only include HTTPS. Allowing any additional protocols (e.g. HTTP, WS) is insecure",
-    "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000029-azure-api-management-apis-should-use-encrypted-protocols-only",
+    "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000029-azure-api-management-apis-should-use-https-only",
     "severity": 1,
     "evaluation": {
       "resourceType": "Microsoft.ApiManagement/service/apis",

diff --git a/src/Analyzer.PowerShellRuleEngine.UnitTests/PowerShellRuleEngineTests.cs b/src/Analyzer.PowerShellRuleEngine.UnitTests/PowerShellRuleEngineTests.cs
@@ -29,7 +29,7 @@ public static void AssemblyInitialize(TestContext context)
 
         [DataTestMethod]
         // PSRule detects errors in two analysis stages: when looking at the whole file (through the file path), and when looking at each resource (pipeline.Process(resource)):
-        [DataRow("template_and_resource_level_results.json", true, 12, new int[] { 1, 1, 1, 1, 8, 14, 17, 1, 17, 17, 1, 17 }, DisplayName = "Running all the rules against a template with errors reported in both analysis stages")]
+        [DataRow("template_and_resource_level_results.json", true, 13, new int[] { 1, 1, 1, 1, 8, 14, 17, 1, 17, 17, 1, 17, 1 }, DisplayName = "Running all the rules against a template with errors reported in both analysis stages")]
         [DataRow("template_and_resource_level_results.json", false, 4, new int[] { 17, 17, 17, 17 }, DisplayName = "Running only the security rules against a template with errors reported in both analysis stages")]
         // TODO add test case for error, warning (rule with severity level of warning?) and informational (also rule with that severity level?)
         public void AnalyzeTemplate_ValidTemplate_ReturnsExpectedEvaluations(string templateFileName, bool runsAllRules, int expectedErrorCount, dynamic expectedLineNumbers)

diff --git a/src/Analyzer.PowerShellRuleEngine/Analyzer.PowerShellRuleEngine.csproj b/src/Analyzer.PowerShellRuleEngine/Analyzer.PowerShellRuleEngine.csproj
@@ -8,8 +8,8 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.PowerShell.SDK" Version="7.2.4" />
-    <PackageReference Include="Microsoft.PSRule.Rules.Azure" Version="1.19.0-B0010" />
-    <PackageReference Include="Microsoft.PSRule.SDK" Version="2.5.0-B0004" />
+    <PackageReference Include="Microsoft.PSRule.Rules.Azure" Version="1.22.0-B0011" />
+    <PackageReference Include="Microsoft.PSRule.SDK" Version="2.6.0-B0013" />
   </ItemGroup>
 
   <ItemGroup>

diff --git a/src/Analyzer.PowerShellRuleEngine/baselines/RepeatedRulesBaseline.Rule.json b/src/Analyzer.PowerShellRuleEngine/baselines/RepeatedRulesBaseline.Rule.json
@@ -9,16 +9,16 @@
     "spec": {
       "rule": {
         "exclude": [
-          "PSRule.Rules.Azure\\Azure.AppService.RemoteDebug", // TA-000002
-          "PSRule.Rules.Azure\\Azure.AppService.WebSecureFtp", // TA-000003
-          "PSRule.Rules.Azure\\Azure.AppService.UseHTTPS", // TA-000004
-          "PSRule.Rules.Azure\\Azure.AppService.MinTLS", // TA-000005 and TA-000017
-          "PSRule.Rules.Azure\\Azure.Automation.EncryptVariables", // TA-000021
-          "PSRule.Rules.Azure\\Azure.Redis.NonSslPort", // TA-000022
-          "PSRule.Rules.Azure\\Azure.AKS.UseRBAC", // TA-000024
-          "PSRule.Rules.Azure\\Azure.ServiceFabric.AAD", // TA-000026
-          "PSRule.Rules.Azure\\Azure.SQL.TDE", // TA-000027
-          "PSRule.Rules.Azure\\Azure.APIM.HTTPEndpoint" // TA-000029
+          "PSRule.Rules.Azure\\Azure.AppService.RemoteDebug",
+          "PSRule.Rules.Azure\\Azure.AppService.WebSecureFtp",
+          "PSRule.Rules.Azure\\Azure.AppService.UseHTTPS",
+          "PSRule.Rules.Azure\\Azure.AppService.MinTLS",
+          "PSRule.Rules.Azure\\Azure.Automation.EncryptVariables",
+          "PSRule.Rules.Azure\\Azure.Redis.NonSslPort",
+          "PSRule.Rules.Azure\\Azure.AKS.UseRBAC",
+          "PSRule.Rules.Azure\\Azure.ServiceFabric.AAD",
+          "PSRule.Rules.Azure\\Azure.SQL.TDE",
+          "PSRule.Rules.Azure\\Azure.APIM.HTTPEndpoint"
         ]
       }
     }

diff --git a/src/Analyzer.PowerShellRuleEngine/baselines/SecurityBaseline.Rule.json b/src/Analyzer.PowerShellRuleEngine/baselines/SecurityBaseline.Rule.json
@@ -16,56 +16,57 @@
           "PSRule.Rules.Azure\\Azure.APIM.EncryptValues",
           "PSRule.Rules.Azure\\Azure.APIM.ProductSubscription",
           "PSRule.Rules.Azure\\Azure.APIM.ProductApproval",
+          "PSRule.Rules.Azure\\Azure.AppConfig.AuditLogs",
           "PSRule.Rules.Azure\\Azure.AppGw.UseHTTPS",
           "PSRule.Rules.Azure\\Azure.AppService.NETVersion",
           "PSRule.Rules.Azure\\Azure.AppService.PHPVersion",
           "PSRule.Rules.Azure\\Azure.Automation.WebHookExpiry",
           "PSRule.Rules.Azure\\Azure.Automation.AuditLogs",
           "PSRule.Rules.Azure\\Azure.CDN.MinTLS",
           "PSRule.Rules.Azure\\Azure.Deployment.OutputSecretValue",
+          "PSRule.Rules.Azure\\Azure.Deployment.AdminUsername",
+          "PSRule.Rules.Azure\\Azure.Deployment.SecureValue",
           "PSRule.Rules.Azure\\Azure.FrontDoor.MinTLS",
           "PSRule.Rules.Azure\\Azure.FrontDoor.Logs",
           "PSRule.Rules.Azure\\Azure.FrontDoor.UseWAF",
           "PSRule.Rules.Azure\\Azure.KeyVault.AccessPolicy",
           "PSRule.Rules.Azure\\Azure.KeyVault.Logs",
+          "PSRule.Rules.Azure\\Azure.KeyVault.AutoRotationPolicy",
           "PSRule.Rules.Azure\\Azure.LogicApp.LimitHTTPTrigger",
-          "PSRule.Rules.Azure\\Azure.MySQL.UseSSL",
-          "PSRule.Rules.Azure\\Azure.MySQL.MinTLS",
           "PSRule.Rules.Azure\\Azure.MySQL.FirewallRuleCount",
           "PSRule.Rules.Azure\\Azure.MySQL.AllowAzureAccess",
           "PSRule.Rules.Azure\\Azure.MySQL.FirewallIPRange",
           "PSRule.Rules.Azure\\Azure.NSG.AnyInboundSource",
           "PSRule.Rules.Azure\\Azure.NSG.LateralTraversal",
-          "PSRule.Rules.Azure\\Azure.PostgreSQL.UseSSL",
-          "PSRule.Rules.Azure\\Azure.PostgreSQL.MinTLS",
           "PSRule.Rules.Azure\\Azure.PostgreSQL.FirewallRuleCount",
           "PSRule.Rules.Azure\\Azure.PostgreSQL.AllowAzureAccess",
           "PSRule.Rules.Azure\\Azure.PostgreSQL.FirewallIPRange",
+          "PSRule.Rules.Azure\\Azure.Redis.FirewallRuleCount",
+          "PSRule.Rules.Azure\\Azure.Redis.FirewallIPRange",
           "PSRule.Rules.Azure\\Azure.Resource.AllowedRegions",
           "PSRule.Rules.Azure\\Azure.Search.ManagedIdentity",
+          "PSRule.Rules.Azure\\Azure.ServiceBus.MinTLS",
           "PSRule.Rules.Azure\\Azure.SQL.FirewallRuleCount",
           "PSRule.Rules.Azure\\Azure.SQL.AllowAzureAccess",
           "PSRule.Rules.Azure\\Azure.SQL.FirewallIPRange",
-          "PSRule.Rules.Azure\\Azure.SQL.ThreatDetection",
+          "PSRule.Rules.Azure\\Azure.SQL.DefenderCloud",
           "PSRule.Rules.Azure\\Azure.SQL.Auditing",
           "PSRule.Rules.Azure\\Azure.SQL.AAD",
-          "PSRule.Rules.Azure\\Azure.SQL.MinTLS",
-          "PSRule.Rules.Azure\\Azure.Storage.SecureTransfer",
-          "PSRule.Rules.Azure\\Azure.Storage.BlobPublicAccess",
           "PSRule.Rules.Azure\\Azure.Storage.BlobAccessType",
-          "PSRule.Rules.Azure\\Azure.Storage.MinTLS",
           "PSRule.Rules.Azure\\Azure.RBAC.UseGroups",
           "PSRule.Rules.Azure\\Azure.RBAC.LimitOwner",
           "PSRule.Rules.Azure\\Azure.RBAC.LimitMGDelegation",
           "PSRule.Rules.Azure\\Azure.RBAC.CoAdministrator",
           "PSRule.Rules.Azure\\Azure.RBAC.UseRGDelegation",
           "PSRule.Rules.Azure\\Azure.RBAC.PIM",
-          "PSRule.Rules.Azure\\Azure.SecurityCenter.Contact",
-          "PSRule.Rules.Azure\\Azure.SecurityCenter.Provisioning",
+          "PSRule.Rules.Azure\\Azure.DefenderCloud.Contact",
+          "PSRule.Rules.Azure\\Azure.DefenderCloud.Provisioning",
           "PSRule.Rules.Azure\\Azure.TrafficManager.Protocol",
           "PSRule.Rules.Azure\\Azure.VM.PublicKey",
           "PSRule.Rules.Azure\\Azure.VM.ADE",
+          "PSRule.Rules.Azure\\Azure.VMSS.PublicKey",
           "PSRule.Rules.Azure\\Azure.VNET.UseNSGs",
+          "PSRule.Rules.Azure\\Azure.VNET.FirewallSubnet",
           "PSRule.Rules.Azure\\Azure.ACR.AdminUser",
           "PSRule.Rules.Azure\\Azure.ACR.ContentTrust",
           "PSRule.Rules.Azure\\Azure.ADX.ManagedIdentity",
@@ -81,12 +82,17 @@
           "PSRule.Rules.Azure\\Azure.APIM.ManagedIdentity",
           "PSRule.Rules.Azure\\Azure.APIM.Protocols",
           "PSRule.Rules.Azure\\Azure.APIM.Ciphers",
+          "PSRule.Rules.Azure\\Azure.AppConfig.DisableLocalAuth",
           "PSRule.Rules.Azure\\Azure.AppGw.UseWAF",
           "PSRule.Rules.Azure\\Azure.AppGw.SSLPolicy",
           "PSRule.Rules.Azure\\Azure.AppGw.Prevention",
           "PSRule.Rules.Azure\\Azure.AppGw.WAFEnabled",
           "PSRule.Rules.Azure\\Azure.AppGw.OWASP",
           "PSRule.Rules.Azure\\Azure.AppGw.WAFRules",
+          "PSRule.Rules.Azure\\Azure.AppGwWAF.Enabled",
+          "PSRule.Rules.Azure\\Azure.AppGwWAF.PreventionMode",
+          "PSRule.Rules.Azure\\Azure.AppGwWAF.Exclusions",
+          "PSRule.Rules.Azure\\Azure.AppGwWAF.RuleGroups",
           "PSRule.Rules.Azure\\Azure.AppService.ManagedIdentity",
           "PSRule.Rules.Azure\\Azure.Automation.ManagedIdentity",
           "PSRule.Rules.Azure\\Azure.CDN.HTTP",
@@ -95,17 +101,37 @@
           "PSRule.Rules.Azure\\Azure.Cognitive.DisableLocalAuth",
           "PSRule.Rules.Azure\\Azure.Cognitive.PrivateEndpoints",
           "PSRule.Rules.Azure\\Azure.Cosmos.DisableMetadataWrite",
+          "PSRule.Rules.Azure\\Azure.Defender.Containers",
+          "PSRule.Rules.Azure\\Azure.Defender.Servers",
+          "PSRule.Rules.Azure\\Azure.Defender.SQL",
+          "PSRule.Rules.Azure\\Azure.Defender.AppServices",
+          "PSRule.Rules.Azure\\Azure.Defender.Storage",
+          "PSRule.Rules.Azure\\Azure.Defender.SQLOnVM",
           "PSRule.Rules.Azure\\Azure.EventGrid.TopicPublicAccess",
           "PSRule.Rules.Azure\\Azure.EventGrid.ManagedIdentity",
+          "PSRule.Rules.Azure\\Azure.EventGrid.DisableLocalAuth",
           "PSRule.Rules.Azure\\Azure.EventHub.DisableLocalAuth",
           "PSRule.Rules.Azure\\Azure.Firewall.Mode",
           "PSRule.Rules.Azure\\Azure.FrontDoor.WAF.Mode",
           "PSRule.Rules.Azure\\Azure.FrontDoor.WAF.Enabled",
+          "PSRule.Rules.Azure\\Azure.FrontDoorWAF.Enabled",
+          "PSRule.Rules.Azure\\Azure.FrontDoorWAF.PreventionMode",
+          "PSRule.Rules.Azure\\Azure.FrontDoorWAF.Exclusions",
+          "PSRule.Rules.Azure\\Azure.FrontDoorWAF.RuleGroups",
+          "PSRule.Rules.Azure\\Azure.MySQL.UseSSL",
+          "PSRule.Rules.Azure\\Azure.MySQL.MinTLS",
+          "PSRule.Rules.Azure\\Azure.PostgreSQL.UseSSL",
+          "PSRule.Rules.Azure\\Azure.PostgreSQL.MinTLS",
           "PSRule.Rules.Azure\\Azure.Redis.MinTLS",
           "PSRule.Rules.Azure\\Azure.Redis.PublicNetworkAccess",
+          "PSRule.Rules.Azure\\Azure.RedisEnterprise.MinTLS",
           "PSRule.Rules.Azure\\Azure.ServiceBus.DisableLocalAuth",
           "PSRule.Rules.Azure\\Azure.SignalR.ManagedIdentity",
+          "PSRule.Rules.Azure\\Azure.SQL.MinTLS",
           "PSRule.Rules.Azure\\Azure.Storage.Firewall",
+          "PSRule.Rules.Azure\\Azure.Storage.MinTLS",
+          "PSRule.Rules.Azure\\Azure.Storage.SecureTransfer",
+          "PSRule.Rules.Azure\\Azure.Storage.BlobPublicAccess",
           "PSRule.Rules.Azure\\Azure.WebPubSub.ManagedIdentity"
         ]
       }